[ITERIS] - Vantage Velocity Field Unit - No Documented Users, Weak Passwords and Credentials Disclosure

julio 16, 2023

[ITERIS] - Vantage Velocity Field Unit - No Documented Users, Weak Passwords and Credentials Disclosure - (CVE-2020-9023)

Device Information:

https://www.iteris.com/products/travel-time/vantage-velocity
http://www.oceanstatesignal.com/OSS_Products/manuals/Iteris/Velocity-Field-Unit-User-Guide.pdf

"eclipse and bluetooth" users are not documented. In addition, these users and additionally "root" have weak credentials

Affected Versions:

2.4.2
2.3.1

The device "Vantage Velocity Field Unit" has 2 users that are not documented, and also, these are configured with weak passwords, including the root user of the device

Undocumented users are the following:

User bluetooth , password bluetooth

User eclipse, password eclipse

root user password: bluetooth

The /etc/shadow file was extracted from the device and proceeded to crack it

Cracking passwords with john:

also version 2.3.1 has the same users

SSH connection with root and password "bluetooth":

SSH conections with the non documented users:

CVE-2020-9023

By: @Linuxmonr4

Buscar este blog

Cacharros in the wild

[ITERIS] - Vantage Velocity Field Unit - No Documented Users, Weak Passwords and Credentials Disclosure - (CVE-2020-9023)

Comentarios

Publicar un comentario

Entradas populares

[EVERTZ] - Path Transversal && Arbitrary File Upload = SHELL [CVE-2020-22159 ]

[EndRun] - NTP servers - Nonauthenticated XSS Reflected [ CVE-2023-38967 ]