Friday, January 24, 2020

[ITERIS] - Vantage Velocity Field Unit - No Documented Users, Weak Passwords and Credentials Disclosure - (CVE-2020-9023)


Device Information: 


"eclipse and bluetooth" users are not documented. In addition, these users and additionally "root" have weak credentials

Affected Versions:
  • 2.4.2
  • 2.3.1


The device "Vantage Velocity Field Unit" has 2 users that are not documented, and also, these are configured with weak passwords, including the root user of the device

Undocumented users are the following:
User bluetooth , password bluetooth 
User eclipse, password eclipse

root user password: bluetooth


The /etc/shadow file was extracted from the device and proceeded to crack it



Cracking passwords with john:

also version 2.3.1 has the same users


SSH connection with root and password "bluetooth":


SSH conections with the non documented users:




CVE-2020-9023

By: @Linuxmonr4


Monr4

Autor

0 comentarios:

Post a Comment

 
biz.