Re: hacking the mitsubishi GB-50A

[Chris Withers <chris () simplistix co uk>]

Steven M. Christey wrote:
> However, if all dip switches are off, the unit can defer to
> configuration as provided via an "Initial Setting Web".

Yeah, I had no idea what this meant either. Same goes for Mitsubishi's 
UK tech support...

> be used to set the IP address (page 13).  There is no statement that
> the tool restricts which address can be set, nor is there a
> recommendation that only local addresses should be used.

Indeed.

> It doesn't seem like much of a stretch that an admin might want to
> modify the address to something other than private addresses.  Whether
> the Initial Setting Web will allow this is another question, but if
> so, then the scope of attack widens considerably.

Yep. I think the manual should really say "this device should be 
connected directly to the ethernet socket of a computer, and that 
computer should have locked down software to prevent unauthorised people 
bypassing the security on the GB-50A".

I find it slightly scary that someone might have one of these on a 
network that controls something like data centre aircon, and that an 
attacker can scan for it trivially (what answers on port 80 with a 200 
to a GET for /en/administrator.html) and turn off all the aircon in the 
data centre...

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
           - http://www.simplistix.co.uk