In an attack exploiting inappropriate default grants, the
attacker gains unauthorized access to the user's computer network or
equipment with elevated rights. The attacker uses the default values, which
have not been changed, set into the systems. An attack exploiting an
inappropriate default can effect operating systems, application programs,
and hardware. This should be an easy vulnerability to defend. The easiest
defense against an attack that exploits an inappropriate default is to
educate system administrators about the vulnerability and have them fully
comprehend the severity of not changing the factory defaults.
When many computer operating systems, hardware, or
applications are installed or setup, they are turned on or powered up using
default passwords, for a default account, and contain default protection
settings. Generally these passwords or settings are common to the hardware
or software and are not created for the specific customer or account. In
some cases, these defaults are well known throughout the information
technology community, and if not, there exists readily available published
lists that contain the default parameters. As an example, SecurityNews
provides a list of default passwords for 78 different products [1]. If the user fails to change the default values,
then an attacker can easily exploit this vulnerability and gain unauthorized
access to the user's computer network and have access the equipment with
elevated rights.
An attack exploiting an inappropriate default is defined
as an unauthorized access using the default values set into systems at the
factory or configured before delivery which are not changed. Examples of the
types of defaults that need to be changed are default passwords, default
configuration settings, default permissions (protection) settings, and
default account settings. These types of vulnerabilities are quite common. A
Google( search using the keywords "default password vulnerability", "default
configuration vulnerability", "default permissions vulnerability", or
"default account vulnerability" results in 925, 551, 564,and 139, Internet
postings, respectively.
An attack exploiting an inappropriate default can effect
operating systems, application programs, and hardware. SAP R/3 is an
application program that can easily be exploited using default passwords [2]. SAP R/3 ships with four default user accounts
that are protected with commonly known passwords. The default user accounts
are installed in every client software package. All user accounts are
equipped with super or power user access rights. An attacker exploiting this
vulnerability will be able to access and modify certain data for any client.
Another example of a vulnerability for an application
program from default passwords is Oracle RDBMS relational database
management system [3]. The default installation of
the Oracle database sets up a number of "demo" accounts with preset
passwords. The default account usernames resemble personal names such as
"SCOTT". An attacker gaining access to the system through one of these
accounts may also be able to access the local system with the privileges of
the oracle user and group. Oracle database version 9iAS has a default
configuration vulnerability [4]. If exploited, an
attacker could obtain usernames and passwords that can then be used to
access the system.
An example of an attack exploiting an inappropriate
default for hardware is a SpeedXess router. The attack exploits a default
password [5]. The SpeedXess HASE-120 (IPOA Router)
uses "speedxess" as the default administrative password. Using this password
an attacker can gain elevated access to the Router and configure it as
desired.
Another hardware exploitation could be with a Xerox
DocuTech 6110 and DocuTech 6115. These are vulnerable to an attack by an
insecure default configuration [6]. The printer is
controlled by a Sun system running Solaris 8.0, while the scanner is
controlled by a Microsoft Windows system running Windows NT. By default,
both of these control systems are installed insecurely. A remote attacker
could exploit this vulnerability by using the Web interface to obtain
sensitive information or gain unauthorized access to the system using
default system account information.
A final example of a default password vulnerability is
the Axis Network Camera system [7]. The Axis
Network Camera system connects a camera directly to a network. It is
commonly used as a web cam or for security surveillance. During installation
of Axis Network Camera, the administrator is not prompted for the account ID
or a password. These parameters are "root "for the default account ID and
"pass" as the default password. An attacker can connect to the device
remotely and obtain administrative access and reconfigure or interrupt the
camera.
The best defense against an attack that exploits an
inappropriate default is to educate the user and have them fully comprehend
the severity of not changing the factory defaults. This should be an easy
vulnerability to defend. System administrators need to be held accountable
for their actions or lack thereof. One method to ensure the security is
testing for faults. Proper documentation of the control procedures including
a formal check-off policy can help ensure that important steps are taken.
Manufacturers of software and hardware can also take
responsibility for security. However, they are limited in their ability.
Joacim Tullberg, who is the Product Group Manager for the Network Cameras &
Video Servers manufactured by Axis Communications has documented their
attempts at to encourage users to change the default root password
immediately after installation of a camera system
[8]. In one case, they tried to force the user to change the default
password prior to making the unit fully operational. This resulted in a
significant number of support requests due to forgotten passwords. When they
tried password protection enabled from start with default password, which
was clearly stated in the installation guide, the result was also support
calls requesting the default password. Finally, they have considered the
option of issuing a unique default password for each device, which is
printed on a sticker shipped with the unit. They have been reluctant to
pursue this option because, they believe the result wcould be support
requests for the default password, a question which they would not be able
to answer. Consequently, a forgotten password and a lost sticker would make
the unit useless.
Finally, in response to the many recent attacks on it
products, Microsoft has launched the Strategic Security Protection Program.
The initiative began in October 2001 and provides Microsoft customers with
technical support through a toll-free number and free access to the
Microsoft Security Tool Kit on CD. The CD will contain the latest service
packs, security checklists, and a deployment guide for various Windows
operating systems. Microsoft also said in a statement that the next version
of its hacker-plagued IIS Web server software will be locked down by
default, with the pre-defined configurations set to the highest security
levels. Microsoft claims that "If the products then prove to be less then
secure, it will be because of defects or bugs within the products themselves
rather than some lapse by an administrator who was not familiar with the
entire gamut of security settings within Microsoft products." [9]
[1] "Default passwords sometimes stay for good", Beyond Security Ltd., July 7, 2000.
http://www.securiteam.com/securitynews/5RR080A1TS.html[2] "SAP R/3 Default Password Vulnerability", Beyond Security Ltd., August 26, 2002.
http://www.securiteam.com/securitynews/5YP0N1P80O.html[3] SecurityFocus Microsoft Newsletter #71.
www.hackemate.com.ar/advisories/SecurityFocus%20Microsoft%20Newsletter/SecurityFocus%20Microsoft%20Newsletter%20071.txt[4] NGSSoftware Insight Security Research Advisory #NISR06022002C, February 27, 2002.
http://www.ciac.org/ciac/bulletins/m-048.shtml[5] "SpeedXess HASE-120(IPOA Router) Default Password", Beyond Security Ltd., February 1, 2002.
http://www.securiteam.com/securitynews/5GP040A60I.html[6] Internet Security Systems, Inc., May 17 2002.
http://xforce.iss.net/xforce/xfdb/9108 http://lists.insecure.org/lists/bugtraq/2001/Dec/0055.html http://cert.uni-stuttgart.de/archive/bugtraq/2001/12/msg00067.html[9] Delio, M., "MS Security Plan: OK, Kind Of", Wired News, Oct. 04, 2001.
http://www.wired.com/news/business/0,1367,47299,00.html