Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

ProxyView default undocumented password

From: Michael Brown <michaelb () opentext com>
Date: Mon, 27 Jan 2003 21:55:08 -0500 (EST)

-- Summary --
The Replicom ProxyView remote access unit ships with a default Administrator
password for Embedded Windows NT.

Any users with access to communicate with the ProxyView over the NetBIOS port
(TCP/139) can exploit this fact to take over the ProxyView unit.



-- Product details --

From homepage: http://www.replicom.com/


"With ProxyView at the front end of any KVM Switch, multiple servers can
 be locally or remotely accessed in/out-of-band, providing server
 control, through a web based client, even when the network is down.
 
 Using ProxyView, network administrators can access multiple servers
 connected to any KVM Switch through a dial-up modem connection, an
 Internet connection, or across a LAN or WAN. Actions that vary from GUI
 functionality to BIOS-level troubleshooting, administration, and soft
 and hard remote rebooting, are available just as if sitting next to the
 server in the Data-Center."


Really, it's a handy remote access tool. It runs Windows NT embedded and
actually is usable for GUI administration over a modem connection. I just wish
there was an option for a client other than IE under Windows... :)



-- Vulnerability --
The software running on the ProxyView maintains a user database for its client
connections. This database is completely separate from the Windows NT user
database. The ProxyView administrator default password is 'PVremote'. The
documentation advises you to change this password quickly. This is NOT the
problem.

The Administrator account for Embedded Windows NT on the ProxyView has the
default password of "Administrator". Anybody with access to port 139 (Hmmm...
people on the LAN) can login as Administrator and have full control over the
box and consequently console access to the machines the ProxyView is a front
end for. These details are not mentioned anywhere in the documentation.



-- Solution --
1) Generate a new password. :)

2) Using whatever remote registry tool you like (regedit), connect to the
   ProxyView and change the contents of the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

   to the new password you generated in step 1.

3) Using whatever remote user tool you like (usrmgr), connect to the ProxyView
   and change the Administrator password.


WARNING: If the 'autologon' password and the Administrator password are out of
sync, the ProxyView will *not* function after a reboot. You can still access
the unit via NetBIOS to fix the problem though. Provided you haven't lost the
password, so keep it safe! :)



-- Vendor contact --
The vendor was contacted on Nov. 19 2002. The vendor failed to realize the
scope of the problem, however.

M.

-- 
Michael Brown                      | Quis custodiet
Systems Administrator   GPG key:   | ipsos custodes?
michaelb () opentext com   0x527670C0 |
Previous By Date Next
Previous By Thread Next

Current thread: