Wednesday, September 26, 2012

CoSoSys Predicable Password CVE-2012-2994

CVE-2012-2994 describes a vulnerability in the CoSoSys Endpoint Protector 4 appliance that I mentioned in my BsidesLV talk.  The bottom-line is that once the appliance is activated, a script is ran that sets several passwords using a variation of the serial number.  The account "epproot" is a root-equivalent account and can be used to SSH into the appliance.  The password is not provided from the company so if you would like to control the appliance, use the following PowerShell script:

Get-EPPPassword Function

The vulnerability lies in the fact that there are an extremely limited number of possible password combinations  (91) which can be easily brute-forced.  To generate the complete list of possible passwords with PowerShell:

The output should look like the following screenshot, but can be downloaded here:

Thanks for reading and I hope to see everyone at Derbycon!