Security Laboratory

Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Other Related Articles in Security Laboratory: Methods of Attack Series

The Risk of Default Passwords

By Stephen Northcutt
System administrators leave their devices with default username and password combinations for a variety of reasons. Simply not knowing that a password needs to be changed or assuming that their perimeter firewall will protect them from unauthorized access are some of the reasons for doing so. This practice is definitely not a good idea considering an attacker can break into your network by some other means, then easily gain access to these devices. A bigger issue we're seeing is that some worms are configured to automatically propagate and search for systems set with a default username and password.

Many times system administrators believe that the default username and passwords for specific devices are generally not known. This is not always the case. There are websites on the Internet which are specifically there to provide the default username and password combinations for a ton of vendors products. The Default Password List[1] maintains a wide list of these combinations for products from many different vendors including IronPort, Cisco and Check Point.

For instance, if you wanted to attempt to gain admin control of a Xerox device, you could try:

Manufactor Product Revision Protocol User ID Password Access comment
xerox xerox Multi admin admin Admin No 2004-23-2 2005-13-7
xerox xerox Multi n/a admin Admin No 2004-23-2 2005-13-7
xerox work centre pro 35 HTTP admin 1111 Admin

Default Passwords[2] also maintains a similar list.

Proof-of-Concept worms using default passwords

Voyager Alpha Force - In July 2005, Microsoft released an advisory with regard to the Voyager Alpha Force worm. The worm scans the Internet for port 1433 which is associated with an SQL server. Upon discovering an SQL server the worm would attempt to login with no password, which is the default password for the sa account. If the worm successfully logged into the database server it would proceed in notifying an IRC channel of the discovery and attempt to run a program from an FTP server located in the Philippines.[3]

Zotob - The Zotob worm affected the Plug N' Play service on Windows 2000 systems specifically, until a discovery was made that Windows XP SP1 systems were vulnerable as well. Windows XP SP1 systems which had Simple File and Print Sharing configured, as well as having Guest access enabled, were vulnerable to remote exploit by the Zotob worm. The worm would automatically test these systems for the Guest username and password.[4]

MySpooler - The MySpooler worm was targeted at default installations of the MySQL database engine. MySQL does not require the user to create an administrator password during installation which leaves the account wide open. If the worm successfully authenticated to a MySQL server, it would contact an IRC server so that further instructions were obtained with regard to how the worm should be propagated. At its peak the worm was infecting roughly 100 hosts per hour. SANS Internet Storm Center Chief Technology Officer, Johannes Ullrich, stated that more than 8,000 hosts were connected to the IRC server during the first day.[5,6]

Vendor specific examples of default passwords

Cisco MARS - A default password vulnerability was discovered in Cisco's Security Monitoring, Analysis and Response System (CS_MARS) in January 2006. The default password was found for an account with administrative access that was never revealed to the end-user. Exploiting this vulnerability would allow an attacker full administrative access to the system.[7]

Cisco Wireless Location - The software that's included with the Cisco Wireless Location appliances is shipped with a default username and password combination for the administrator account. The vulnerable administrator account was to be used for the initial setup of the device and future troubleshooting tasks. In order to correct this issue the user must login to the appliance and manually give the account a password. Upgrading to the latest release currently does not correct the issue.[8]

Oracle systems have probably set the record for default passwords. The best source to read about them on the Internet is Pete Finnegan's[9]. There has been a proof-of-concept worm for Oracle as well.[10]

The bottom line

For whatever reason, vendors will continue to include default username and password combinations in their products. It's up to all of us to ensure that the default settings of any product implemented in our environment are changed before they go into production.