CWE-798: Use of Hard-coded Credentials
During a recent penetration test, CRITICALSTART‘s TEAMARES research discovered that OpsRamp Gateway has a backdoor account vadmin that allows root SSH access to the server.
After installing the OpsRamp Gateway server, a script called “kick-start.sh” runs, which sets up multiple user accounts and hardcodes their passwords by setting the pre-hashed passwords.
Our team was able to crack the hash for the vadmin, which can be used to SSH into the server with the password [email protected]. Additionally, the account has the sudo permissions ALL, allowing us to easily escalate to root with sudo -i.
We then proceeded to log into client servers in production as root proving that the hashes are not unique to the install.
10/24/2019 – Vulnerability found
01/20/2020 – Informed that the Vendor patched the finding
03/26/2020 – Ensured that clients were patched
03/26/2020 – CVE Requested
04/07/2020 – Released vulnerability disclosure
Discovered by Charles Dardaman, Senior Adversarial Engineer for TEAMARES at CRITICALSTART
CRITICALSTART’s TEAMARES is comprised of professionals with more than a decade of experience conducting offensive and defensive security services. Our team has expertise in a wide array of industries, including oil and gas, healthcare, app development firms, hospitality, technology, and more.