Security Laboratory

Security Laboratory

Default Passwords

Peter Giannoulis
Summary: Default passwords are an ongoing threat for many organizations. Vendors who configure their products with standard default username and password combinations assume that their customers are going to change them during the initial implementation. Unfortunately, this is not always the case.

System administrators leave their devices with default username and password combinations for a variety of reasons. Simply not knowing that a password needs to be changed or assuming that their perimeter firewall will protect them from unauthorized access are some of the reasons for doing so. This practice is definitely not a good idea considering an attacker can break into your network by some other means and then easily gain access to these devices. A bigger issue we're seeing is that some worms are configured to automatically propagate and search for systems set with a default username and password.

System administrators many times believe that the default username and passwords for specific devices are generally not known. This is not always the case. There are websites on the Internet which are specifically there to provide the default username and password combinations for a multitude of vendors' products. The Default Password List[1] maintains an extensive list of these combinations for products from many different vendors including IronPort, Cisco and Check Point. Default Passwords[2] also maintains a similar list.

Proof-of-Concept Worms

  • Voyager Alpha Force - In July 2005, Microsoft released an advisory with regard to the Voyager Alpha Force worm. The worm scans the Internet for port 1433 which is associated with an SQL server. Upon discovering an SQL server the worm would attempt to login with no password, which is the default password for the sa account. If the worm successfully logged into the database server it would proceed in notifying an IRC channel of the discovery and attempt to run a program from an FTP server located in the Philippines.[3]
  • Zotob - The Zotob worm affected the Plug N' Play service on Windows 2000 systems specifically until a discovery was made that Windows XP SP1 systems were vulnerable as well. Windows XP SP1 systems which had Simple File and Print Sharing configured, as well as having Guest access enabled were vulnerable to remote exploit by the Zotob worm. The worm would automatically test these systems for the Guest username and password.[4]
  • MySpooler - The MySpooler worm was targeted at default installations of the MySQL database engine. MySQL does not require the user to create an administrator password during installation which leaves the account side open. If the worm successfully authenticated to a MySQL server, it would contact an IRC server so that further instructions were obtained with regard to how the worm should be propagated. At its peak the worm was infecting roughly 100 hosts per hour. SANS Internet Storm Center Chief Technology Officer, Johannes Ullrich, stated that more than 8,000 hosts were connected to the IRC server during the first day.[5, 6]

Vendor Specific Default Password Vulnerabilities

  • Cisco MARS - A default password vulnerability was discovered in Cisco's Security Monitoring, Analysis and Response System (CS_MARS) in January, 2006. The default password was found for an account with administrative access that was never revealed to the end-user. Exploiting this vulnerability would allow an attacker full administrative access to the system.[7]
  • Cisco Wireless Location - The software that's included with the Cisco Wireless Location appliances is shipped with a default username and password combination for the administrator account. The vulnerable administrator account was to be used for the initial setup of the device and future troubleshooting tasks. In order to correct this issue the user must login to the appliance and manually give the account a password. Upgrading to the latest release currently does not correct the issue.[8]

For whatever reason, vendors will continue to include default username and password combinations in their products. It's up to all of us to ensure that the default settings of any product implemented in our environment are changed before they go into production.

Peter Giannoulis, GSEC, GCIH, GCIA, CISSP, is an information security consultant in Toronto, Ontario, Canada, as well as a Technical Director for the GIAC family of certifications.