Unauthenticated Configuration File Exposure via Predictable URL in DB-70 / CVE pending
Delta Dore DB-70 is Industrial IP Controller
The Delta Dore DB-70 stores its configuration on a static path on the web server. The naming structure for the configuration file is "DB-70_WSA_" + "Application Version without dots" + "_config.bin". For instance, if the application version is 01.04.00, the configuration file would be named "DB-70_WSA_010104_config.bin" .
http://xx.yy.zz.tt:8080/admin/DB-70_WSA_010104_config.bin
The DB-70 device exposes its application version on the "informations.shtm" web page without requiring any authentication. As a result, anyone can easily retrieve the device's application version.
Consequently, an unauthenticated attacker can easily construct a URL to retrieve the device's configuration file without any authentication.
This configuration file contains the username and password in plain text, posing a significant security risk. It exposes the device to potential denial-of-service attacks and unauthorized takeover.
Another issue that introduces a vulnerability in the system is the overlooked username "install," which has a default password of "install" as well. Administrators are often unaware of this user, which has the ability to modify certain critical DB-70 settings.
Product References:
https://batinfo.com/en/actuality/delta-dore-presents-the-flexible-and-accessible-programmable-db-70-ip-controller_9127
https://www.youtube.com/watch?v=QYGtMbGLI_o
Cumhur Kizilari
The Delta Dore DB-70 stores its configuration on a static path on the web server. The naming structure for the configuration file is "DB-70_WSA_" + "Application Version without dots" + "_config.bin". For instance, if the application version is 01.04.00, the configuration file would be named "DB-70_WSA_010104_config.bin" .
http://xx.yy.zz.tt:8080/admin/DB-70_WSA_010104_config.bin
The DB-70 device exposes its application version on the "informations.shtm" web page without requiring any authentication. As a result, anyone can easily retrieve the device's application version.
Consequently, an unauthenticated attacker can easily construct a URL to retrieve the device's configuration file without any authentication.
This configuration file contains the username and password in plain text, posing a significant security risk. It exposes the device to potential denial-of-service attacks and unauthorized takeover.
Another issue that introduces a vulnerability in the system is the overlooked username "install," which has a default password of "install" as well. Administrators are often unaware of this user, which has the ability to modify certain critical DB-70 settings.
Product References:
https://batinfo.com/en/actuality/delta-dore-presents-the-flexible-and-accessible-programmable-db-70-ip-controller_9127
https://www.youtube.com/watch?v=QYGtMbGLI_o
Cumhur Kizilari
Comments
Post a Comment