Trango Systems hidden default root login (all models)

[Ian Ling <ian () iancaling com>]

[+] Credits: Ian Ling
[+] Website: iancaling.com
[+] Source: http://blog.iancaling.com/post/153011925478/

Vendor:
=================
www.trangosys.com

Products:
======================
All models. Newer versions use a different password.

Vulnerability Type:
===================
Default Root Account

CVE Reference:
==============
N/A

Vulnerability Details:
=====================

Trango devices all have a built-in, hidden root account, with a default 
password that is the same across many devices and software revisions. 
This account is accessible via ssh and grants access to the underlying 
embedded unix OS on the device, allowing full control over it. Recent 
software updates for some models have changed this password, but have 
not removed this backdoor. See source above for details on how the 
password was found.

The particular password I found is 9 characters, all lowercase, no 
numbers: "bakergiga"
Their support team informed me that there is a different password on 
newer devices.

The password I found works on the following devices:

-Apex <= 2.1.1 (latest)
-ApexLynx < 2.0
-ApexOrion < 2.0
-ApexPlus <= 3.2.0 (latest)
-Giga <= 2.6.1 (latest)
-GigaLynx < 2.0
-GigaOrion < 2.0
-GigaPlus <= 3.2.3 (latest)
-GigaPro <= 1.4.1 (latest)
-StrataLink < 3.0
-StrataPro - all versions?

Impact:
The remote attacker has full control over the device, including shell 
access. This can lead to packet sniffing and tampering, bricking the 
device, and use in botnets.


Disclosure Timeline:
===================================
Vendor Notification: October 7, 2016
Public Disclosure: November 10, 2016

Exploitation Technique:
=======================
Remote

Severity Level:
================
Critical

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/