Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Michael Brown (michaelb_at_opentext.com)
Date: Mon Jan 27 2003 - 20:55:08 CST
-- Summary --
The Replicom ProxyView remote access unit ships with a default Administrator
password for Embedded Windows NT.
Any users with access to communicate with the ProxyView over the NetBIOS port
(TCP/139) can exploit this fact to take over the ProxyView unit.
-- Product details --
From homepage: http://www.replicom.com/
"With ProxyView at the front end of any KVM Switch, multiple servers can
be locally or remotely accessed in/out-of-band, providing server
control, through a web based client, even when the network is down.
Using ProxyView, network administrators can access multiple servers
connected to any KVM Switch through a dial-up modem connection, an
Internet connection, or across a LAN or WAN. Actions that vary from GUI
functionality to BIOS-level troubleshooting, administration, and soft
and hard remote rebooting, are available just as if sitting next to the
server in the Data-Center."
Really, it's a handy remote access tool. It runs Windows NT embedded and
actually is usable for GUI administration over a modem connection. I just wish
there was an option for a client other than IE under Windows... :)
-- Vulnerability --
The software running on the ProxyView maintains a user database for its client
connections. This database is completely separate from the Windows NT user
database. The ProxyView administrator default password is 'PVremote'. The
documentation advises you to change this password quickly. This is NOT the
The Administrator account for Embedded Windows NT on the ProxyView has the
default password of "Administrator". Anybody with access to port 139 (Hmmm...
people on the LAN) can login as Administrator and have full control over the
box and consequently console access to the machines the ProxyView is a front
end for. These details are not mentioned anywhere in the documentation.
-- Solution --
1) Generate a new password. :)
2) Using whatever remote registry tool you like (regedit), connect to the
ProxyView and change the contents of the key:
to the new password you generated in step 1.
3) Using whatever remote user tool you like (usrmgr), connect to the ProxyView
and change the Administrator password.
WARNING: If the 'autologon' password and the Administrator password are out of
sync, the ProxyView will *not* function after a reboot. You can still access
the unit via NetBIOS to fix the problem though. Provided you haven't lost the
password, so keep it safe! :)
-- Vendor contact --
The vendor was contacted on Nov. 19 2002. The vendor failed to realize the
scope of the problem, however.
-- Michael Brown | Quis custodiet Systems Administrator GPG key: | ipsos custodes? michaelbopentext.com 0x527670C0 |