DSX access panel web interface default credentials VT

Here’s another one I’d like to submit for evaluation and inclusion in the community VT feed. This one detects default credentials on DSX access panel serial to ethernet devices. The default credentials, according to the document are either master:master or 123456:123456.

Unfortunately, I could only find the document in the Google cache, thus the link. Anyhow, it appears that the only unauthenticated resources on these devices are /robots.txt and /netburner-logo.gif. I would imagine that to improve the fidelity of detection of these types of devices, you might want to check for the presence of the gif file. The devices don’t give much of a banner to improve detection.

I think the CVSS base score is correct, but I’m sure someone will let me know if it isn’t.

# Copyright (C) 2020 Simmons Foods, Inc.
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.300003");
  script_version("2020-04-06T09:47:49+0000");
  script_tag(name:"cvss_base", value:"6.4");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_tag(name:"last_modification", value:"2020-04-06 09:47:49 +0000 (Mon, 06 Apr 2020)");
  script_tag(name:"creation_date", value:"2020-04-06 09:47:49 +0000 (Mon, 06 Apr 2020)");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2020 Simmons Foods, Inc.");
  script_family("Default Accounts");
  script_name("DSX Security Access Panel Default Credentials");
  script_dependencies("gb_default_credentials_options.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("default_credentials/disable_default_account_checks");

  script_tag(name:"summary", value:"The DSX access panel is configured with default credentials.");

  script_tag(name:"impact", value:"This issue may be exploited by a remote attacker to gain access to sensitive information or modify system configuration.");

  script_tag(name:"insight", value:"The DSX panel is configured with a default password, which potentiall makes s
ensitive information and actions accessible for people with knowledge of the default credentials.");

  script_tag(name:"vuldetect", value:"Checks if a successful login to the DSX access panel is possible.");

  script_tag(name:"solution", value:"Change the passwords for user and admin access.");

  script_tag(name:"solution_type", value:"Mitigation");
  script_tag(name:"qod_type", value:"remote_vul");

  exit(0);
}

if(get_kb_item("default_credentials/disable_default_account_checks"))
  exit(0);

include("host_details.inc");
include("misc_func.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = 80;

creds = make_array("master", "master", "123456", "123456");

host = http_host_name( dont_add_port:TRUE );
url = "/INDEX.HTM";
res = http_get_cache(port: port, item: url);

# nb: Used by e.g. default_http_auth_credentials.nasl
set_kb_item( name:"www/content/auth_required", value:TRUE );
set_kb_item( name:"www/" + host + "/" + port + "/content/auth_required", value:url );

report = "It was possible to login with the following default credentials: (username:password)";

foreach username(keys(creds)) {
  password = creds[username];
  req = http_get_req(port: port, url: url, add_headers: make_array("Accept-Encoding", "gzip, deflate",
                                        "Authorization", "Basic " + base64(str: username + ":" + password)));
  res = http_send_recv(port:port, data:req, bodyonly:TRUE);

  if( "DSX Access Systems, Inc." >< res) {
    VULN = TRUE;
    report += '\n' + username + ':' + password;
    #Remember any working credentials for other authenticated vulnerability tests
    set_kb_item(name: "dsx/access_panel/credentials", value: username + ":" + password);
  }
}

if(VULN) {
  security_message(port: port, data: report);
  exit(0);
}

exit(99);
1 Like

Censys apparently has one or two of these on the Internet, but they appear to be Netburner and not DSX. I would imagine that the DSX is just a rebranded Netburner. https://censys.io/ipv4?q="netburner-logo.gif"

Any update? Community feed inclusion?