Researchers conducted network reconnaissance on the Econolite controllers using nmap, a port scanner tool, to identify potential vulnerabilities. By scanning the controllers’ IP addresses, open ports were discovered for commonly used services like FTP, Telnet, SSH, and HTTP.Â
The scan also revealed that SNMP, a protocol for network management, was enabled on the devices but not listening on the standard ports, which typically use UDP.
Since the Econolite controllers did not offer a web interface for configuration, focus has been shifted to the Telnet service, a text-based remote access protocol.
Attempts to log in using the default credentials “Econolite” and “Admin” were unsuccessful, indicating they had been changed. To crack the password, a brute-force attack was initiated that targeted the username “econolite.”.
A password list containing numerous possible password combinations was generated from the “rockyou” wordlist, a large collection of commonly used passwords leaked from previous security breaches.Â
By systematically trying each password in the list, the brute-force attack aimed to discover the one that grants access to the Telnet service.
By performing a brute-force attack on the target’s FTP service using Hydra, the password “thompson1” was successfully obtained after 15 minutes, which also granted telnet access to the controller.
The telnet session presented a continuously looping network test on a VxWorks console, and standard commands like “help” did not stop the loop, and exiting or restarting the session proved ineffective.
The attacker gained admin-level shell access on a VxWorks system but limitations prevented further exploitation, and after failing to brute-force SSH on an Intelight controller like previous systems, the attacker discovered a web application vulnerability for initial authentication bypass.Â
With the goal of escalating privileges to root and ultimately running Doom, the attacker performed a factory reset, wiping the Maxtime software and losing SSH access altogether, which forced the attacker to purchase another controller.
The controller has been replaced with a new one and the network interface has been configured. After logging into the MaxTime database editor (version 1.8.x), the previous bypass method didn’t work.
It attempted to register an email on the Q-Free support portal for an update but received no response. Instead of social engineering, they contacted support honestly about testing for a customer but support was unhelpful.
Redthreatsec then switched to web application penetration testing and started exploring the website using the Burp proxy. The request looked normal except for an OID (Object Identifier) from SNMP at the end.
By investigating the communication protocol used by traffic controllers, they initially thought the web interface was just a frontend to SNMP configuration, but further research revealed NTCIP, a protocol built on top of SNMP, is used for traffic management.
Ideally, MIBs (Management Information Base) files are downloaded to understand how to query the controllers, and using MIB Browser to enumerate SNMP without MIBs, by discovering that most data can be queried using generic MIBs and some values are even writable without authentication.
