Abstract

In an attack exploiting inappropriate default grants, the attacker gains unauthorized access to the user's computer network or equipment with elevated rights. The attacker uses the default values, which have not been changed, set into the systems. An attack exploiting an inappropriate default can effect operating systems, application programs, and hardware. This should be an easy vulnerability to defend. The easiest defense against an attack that exploits an inappropriate default is to educate system administrators about the vulnerability and have them fully comprehend the severity of not changing the factory defaults.

Introduction

When many computer operating systems, hardware, or applications are installed or setup, they are turned on or powered up using default passwords, for a default account, and contain default protection settings. Generally these passwords or settings are common to the hardware or software and are not created for the specific customer or account. In some cases, these defaults are well known throughout the information technology community, and if not, there exists readily available published lists that contain the default parameters. As an example, SecurityNews provides a list of default passwords for 78 different products [1]. If the user fails to change the default values, then an attacker can easily exploit this vulnerability and gain unauthorized access to the user's computer network and have access the equipment with elevated rights.

Definition

An attack exploiting an inappropriate default is defined as an unauthorized access using the default values set into systems at the factory or configured before delivery which are not changed. Examples of the types of defaults that need to be changed are default passwords, default configuration settings, default permissions (protection) settings, and default account settings. These types of vulnerabilities are quite common. A Google( search using the keywords "default password vulnerability", "default configuration vulnerability", "default permissions vulnerability", or "default account vulnerability" results in 925, 551, 564,and 139, Internet postings, respectively.

Attacks

An attack exploiting an inappropriate default can effect operating systems, application programs, and hardware. SAP R/3 is an application program that can easily be exploited using default passwords [2]. SAP R/3 ships with four default user accounts that are protected with commonly known passwords. The default user accounts are installed in every client software package. All user accounts are equipped with super or power user access rights. An attacker exploiting this vulnerability will be able to access and modify certain data for any client.

Another example of a vulnerability for an application program from default passwords is Oracle RDBMS relational database management system [3]. The default installation of the Oracle database sets up a number of "demo" accounts with preset passwords. The default account usernames resemble personal names such as "SCOTT". An attacker gaining access to the system through one of these accounts may also be able to access the local system with the privileges of the oracle user and group. Oracle database version 9iAS has a default configuration vulnerability [4]. If exploited, an attacker could obtain usernames and passwords that can then be used to access the system.

An example of an attack exploiting an inappropriate default for hardware is a SpeedXess router. The attack exploits a default password [5]. The SpeedXess HASE-120 (IPOA Router) uses "speedxess" as the default administrative password. Using this password an attacker can gain elevated access to the Router and configure it as desired.

Another hardware exploitation could be with a Xerox DocuTech 6110 and DocuTech 6115. These are vulnerable to an attack by an insecure default configuration [6]. The printer is controlled by a Sun system running Solaris 8.0, while the scanner is controlled by a Microsoft Windows system running Windows NT. By default, both of these control systems are installed insecurely. A remote attacker could exploit this vulnerability by using the Web interface to obtain sensitive information or gain unauthorized access to the system using default system account information.

A final example of a default password vulnerability is the Axis Network Camera system [7]. The Axis Network Camera system connects a camera directly to a network. It is commonly used as a web cam or for security surveillance. During installation of Axis Network Camera, the administrator is not prompted for the account ID or a password. These parameters are "root "for the default account ID and "pass" as the default password. An attacker can connect to the device remotely and obtain administrative access and reconfigure or interrupt the camera.

Summary, Conclusions, and Further Work

The best defense against an attack that exploits an inappropriate default is to educate the user and have them fully comprehend the severity of not changing the factory defaults. This should be an easy vulnerability to defend. System administrators need to be held accountable for their actions or lack thereof. One method to ensure the security is testing for faults. Proper documentation of the control procedures including a formal check-off policy can help ensure that important steps are taken.

Manufacturers of software and hardware can also take responsibility for security. However, they are limited in their ability. Joacim Tullberg, who is the Product Group Manager for the Network Cameras & Video Servers manufactured by Axis Communications has documented their attempts at to encourage users to change the default root password immediately after installation of a camera system [8]. In one case, they tried to force the user to change the default password prior to making the unit fully operational. This resulted in a significant number of support requests due to forgotten passwords. When they tried password protection enabled from start with default password, which was clearly stated in the installation guide, the result was also support calls requesting the default password. Finally, they have considered the option of issuing a unique default password for each device, which is printed on a sticker shipped with the unit. They have been reluctant to pursue this option because, they believe the result wcould be support requests for the default password, a question which they would not be able to answer. Consequently, a forgotten password and a lost sticker would make the unit useless.

Finally, in response to the many recent attacks on it products, Microsoft has launched the Strategic Security Protection Program. The initiative began in October 2001 and provides Microsoft customers with technical support through a toll-free number and free access to the Microsoft Security Tool Kit on CD. The CD will contain the latest service packs, security checklists, and a deployment guide for various Windows operating systems. Microsoft also said in a statement that the next version of its hacker-plagued IIS Web server software will be locked down by default, with the pre-defined configurations set to the highest security levels. Microsoft claims that "If the products then prove to be less then secure, it will be because of defects or bugs within the products themselves rather than some lapse by an administrator who was not familiar with the entire gamut of security settings within Microsoft products." [9]

References

[1] "Default passwords sometimes stay for good", Beyond Security Ltd., July 7, 2000.

[2] "SAP R/3 Default Password Vulnerability", Beyond Security Ltd., August 26, 2002.

[3] SecurityFocus Microsoft Newsletter #71.

[4] NGSSoftware Insight Security Research Advisory #NISR06022002C, February 27, 2002.

[5] "SpeedXess HASE-120(IPOA Router) Default Password", Beyond Security Ltd., February 1, 2002.

[6] Internet Security Systems, Inc., May 17 2002.

[7] Chris Gragsone, Bugtraq: Axis Network Camera known default password vulnerability, December 05 2001.

[8] Joacim Tullberg, Product Group Manager, Network Cameras & Video Servers, Axis Communications. December 6, 2001

[9] Delio, M., "MS Security Plan: OK, Kind Of", Wired News, Oct. 04, 2001.