DSX access panel web interface default credentials VT

peektwice · April 6, 2020, 3:46pm

Here’s another one I’d like to submit for evaluation and inclusion in the community VT feed. This one detects default credentials on DSX access panel serial to ethernet devices. The default credentials, according to the document are either master:master or 123456:123456.

Unfortunately, I could only find the document in the Google cache, thus the link. Anyhow, it appears that the only unauthenticated resources on these devices are /robots.txt and /netburner-logo.gif. I would imagine that to improve the fidelity of detection of these types of devices, you might want to check for the presence of the gif file. The devices don’t give much of a banner to improve detection.

I think the CVSS base score is correct, but I’m sure someone will let me know if it isn’t.

# Copyright (C) 2020 Simmons Foods, Inc.
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.300003");
  script_version("2020-04-06T09:47:49+0000");
  script_tag(name:"cvss_base", value:"6.4");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_tag(name:"last_modification", value:"2020-04-06 09:47:49 +0000 (Mon, 06 Apr 2020)");
  script_tag(name:"creation_date", value:"2020-04-06 09:47:49 +0000 (Mon, 06 Apr 2020)");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2020 Simmons Foods, Inc.");
  script_family("Default Accounts");
  script_name("DSX Security Access Panel Default Credentials");
  script_dependencies("gb_default_credentials_options.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("default_credentials/disable_default_account_checks");

  script_tag(name:"summary", value:"The DSX access panel is configured with default credentials.");

  script_tag(name:"impact", value:"This issue may be exploited by a remote attacker to gain access to sensitive information or modify system configuration.");

  script_tag(name:"insight", value:"The DSX panel is configured with a default password, which potentiall makes s
ensitive information and actions accessible for people with knowledge of the default credentials.");

  script_tag(name:"vuldetect", value:"Checks if a successful login to the DSX access panel is possible.");

  script_tag(name:"solution", value:"Change the passwords for user and admin access.");

  script_tag(name:"solution_type", value:"Mitigation");
  script_tag(name:"qod_type", value:"remote_vul");

  exit(0);
}

if(get_kb_item("default_credentials/disable_default_account_checks"))
  exit(0);

include("host_details.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = 80;

creds = make_array("master", "master", "123456", "123456");

host = http_host_name( dont_add_port:TRUE );
url = "/INDEX.HTM";
res = http_get_cache(port: port, item: url);

# nb: Used by e.g. default_http_auth_credentials.nasl
set_kb_item( name:"www/content/auth_required", value:TRUE );
set_kb_item( name:"www/" + host + "/" + port + "/content/auth_required", value:url );

report = "It was possible to login with the following default credentials: (username:password)";

foreach username(keys(creds)) {
  password = creds[username];
  req = http_get_req(port: port, url: url, add_headers: make_array("Accept-Encoding", "gzip, deflate",
                                        "Authorization", "Basic " + base64(str: username + ":" + password)));
  res = http_send_recv(port:port, data:req, bodyonly:TRUE);

  if( "DSX Access Systems, Inc." >< res) {
    VULN = TRUE;
    report += '\n' + username + ':' + password;
    #Remember any working credentials for other authenticated vulnerability tests
    set_kb_item(name: "dsx/access_panel/credentials", value: username + ":" + password);
  }
}

if(VULN) {
  security_message(port: port, data: report);
  exit(0);
}

exit(99);

peektwice · April 6, 2020, 4:08pm

Censys apparently has one or two of these on the Internet, but they appear to be Netburner and not DSX. I would imagine that the DSX is just a rebranded Netburner. https://censys.io/ipv4?q="netburner-logo.gif"

peektwice · June 5, 2020, 1:49pm

Any update? Community feed inclusion?

_ad · June 11, 2020, 2:42pm

Hi there,

sorry for the late response. I think it just got lost in some stressful project work the last couple of months. I will make sure that this thing will make it’s way into the community feed.

Sorry again, this is not how we wanna treat community contributions.

Cheers,
Ad

peektwice · June 11, 2020, 2:50pm

No worries. I’m glad I could contribute in some small way.

_ad · June 18, 2020, 9:16am

I was able to write a detection based off your vulnerability test. Can you help me verify that my implementation and changes will still work with your findings? You can write a PM to discuss this if you want.

Cheers,
Ad

cfi · July 21, 2020, 7:30am

For the records, the VT should be already in the feed since a few weeks:

Name: DSX Communication Devices Default Credentials (HTTP)
OID: 1.3.6.1.4.1.25623.1.0.112769

Various improvements had to be done before publishing it into the feed including the creation of a “Detection-VT”:

Name: DSX Communication Devices Detection (HTTP)
OID: 1.3.6.1.4.1.25623.1.0.112771