So on a recent test I found a few devices, one was a Qunatum Scalar i500 and the other was an IBM TS3310, both are tape libraries.

CVE-2012-1844 states the following: The Quantum Scalar i500 tape library with firmware before i7.0.3 (604G.GS00100), also distributed as the Dell ML6000 tape library with firmware before A20-00 (590G.GS00100) and the IBM TS3310 tape library with firmware before R6C (606G.GS001), uses default passwords for unspecified user accounts, which makes it easier for remote attackers to obtain access via unknown vectors.

The only problem with this is for me to verify the issue I needed the username and password, neither of which were given. great, googling didn’t help either.

I was able to get access to the /etc/passwd file using a directory traversal vulnerability(CVE-2012-1841) so I now had a range of user I could target. http://192.168.0.100/logShow.htm?file=/etc/passwd (attempts to get /etc/shadow were failing, I guess the web server doesn’t run as root).
root,bin,daemon,embedded,service,nobody,sshd,ilinkacc

I then used burpsuite to bruteforce the web administrator login page using each of the accounts, this was taking ages due to the response time of the device.

I finally managed to get in using the undocumented account of service with a password of ser001.

Good luck.

To ensure that this password was the factory set password i then googled for the password, the only documented place i could find this password was here and here(pg174).

P.s. The service account is not listed in the ManageAccess–>Users page so it’s a hidden and undocumented backdoor account.

Leave a Reply