Default IBM password
The installation file settings are listed below in the order in which they appear in the script file. For each configuration setting where you do not want the default installation behavior, modify the text as shown. For installations to multiple hosts, each host will use the Default Settings of the installation file, unless there is a custom_host_settings configuration setting for that particular host overriding the Default Settings.
Ref http://publib.boulder.ibm.com/infocenter/lqkrdom/v8/index.jsp?topic=/com.ibm.lotus.quickr.dominov82.doc/install/inst_aix_silent.html
Other useful info
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tklm.doc%2Fref%2Fref_ic_getting.html
http://www-10.lotus.com/ldd/lqwiki.nsf/xpDocViewer.xsp?lookupName=Lotus+Quickr+8.5.1+for+Domino+documentation#action=openDocument&res_title=Performing_a_silent_installation_of_IBM_Lotus_Quickr_on_AIX_qd851&content=pdcontent
TS3310
username: service
password: ser001
The following has been taken from http://www.phillips321.co.uk/2012/05/01/cve-2012-1844-default-system-username-and-password-now-disclosed/
| Configurable item | Setting | Behavior |
|---|---|---|
| target_hosts | #target_hosts=("host1","host2") | Default. Installs the Lotus Quickr Server only on the local host (the computer on which the installation program is being run). |
| target_hosts=("host1","host2") | Installs the Lotus Quickr Server on one or more target hosts, specified in a double-quoted, comma-separated list. The local host will only be installed to if it is one of the hosts specified in the target_hosts list. Note: In this example, Lotus Quickr Server will be installed on host1 and host2. | |
| program_directory | program_directory = "/opt/lotusquickr" | Default. Installs the Lotus Quickr program directories and files in the /opt/lotusquickr/lotus directory, and creates a link from /opt/lotus to the /opt/lotusquickr/lotus program tree. |
| program_directory = "directorypath" | Installs the Lotus Quickr program directories and files in the directorypath/lotus directory, and creates a link created from /opt/lotus to the directorypath/lotus program tree. | |
| data_UNIX_user | data_UNIX_user = "quickr" | Default. The Lotus Quickr Data Directories are owned by quickr. |
| data_UNIX_user = "username" | The Lotus Quickr Data Directories are owned by username. | |
| data_UNIX_group | data_UNIX_group = "quickr" | Default. The Lotus Quickr Data Directories are owned by the quickr group. Note: The username specified for data_UNIX_user must be a member of the quickr group. |
| data_UNIX_group = "groupname" | The Lotus Quickr Data Directories are owned by the groupname group. Note: The username specified for data_UNIX_user must be a member of the groupname group. | |
| qpadmin | qpadmin = "quickr" | Default. The Lotus Quickr Sever administrator is quickr. |
| qpadmin = "adminid" | The Lotus Quickr Sever administrator is adminid. | |
| qpadminpassword | qpadminpassword = "password" | The password of the user id specified for qpadmin. |
| data_directories | data_directories: "/local/lotusquickrdata" { | Default. The path for the Lotus Quickr Data Directories is /local/lotusquickrdata. The directories are owned by quickr, a member of the group quickr. |
data_directories: "directorypath" { | The path for the Lotus Quickr Data Directories is directorypath, and the directories are owned by username, a member of groupname. | |
| QRD_InstallType | QRD_InstallType=2 | Default. Perform a Standard/Full install. Ignored if Quickr has been installed on the Domino® Server before. |
| QRD_InstallType=1 | Perform an Entry install. Ignored if Quickr has been installed on the Domino Server before. | |
| custom_host_settings | custom_host_settings: TargetHostname { | When installing on TargetHostname, the Quickr Server files will be installed in the directorypath directory, the data directory files will be installed in the datadirectorypath directory, and owned by username, a member of groupname. The administrative id is adminid, with a password of password. Note: The default behavior is to have no custom host settings. Custom host settings can be specified for some, all, or none of the hosts specified in target_hosts. |
Ref http://publib.boulder.ibm.com/infocenter/lqkrdom/v8/index.jsp?topic=/com.ibm.lotus.quickr.dominov82.doc/install/inst_aix_silent.html
Other useful info
http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tklm.doc%2Fref%2Fref_ic_getting.html
http://www-10.lotus.com/ldd/lqwiki.nsf/xpDocViewer.xsp?lookupName=Lotus+Quickr+8.5.1+for+Domino+documentation#action=openDocument&res_title=Performing_a_silent_installation_of_IBM_Lotus_Quickr_on_AIX_qd851&content=pdcontent
TS3310
username: service
password: ser001
The following has been taken from http://www.phillips321.co.uk/2012/05/01/cve-2012-1844-default-system-username-and-password-now-disclosed/
So on a recent test I found a few devices, one was a Qunatum Scalar i500 and the other was an IBM TS3310, both are tape libraries.
CVE-2012-1844 states the following: The Quantum Scalar i500 tape library with firmware before i7.0.3 (604G.GS00100), also distributed as the Dell ML6000 tape library with firmware before A20-00 (590G.GS00100) and the IBM TS3310 tape library with firmware before R6C (606G.GS001), uses default passwords for unspecified user accounts, which makes it easier for remote attackers to obtain access via unknown vectors.
The only problem with this is for me to verify the issue I needed the username and password, neither of which were given. great, googling didn’t help either.
I was able to get access to the /etc/passwd file using a directory traversal vulnerability(CVE-2012-1841) so I now had a range of user I could target. http://192.168.0.100/logShow.htm?file=/etc/passwd (attempts to get /etc/shadow were failing, I guess the web server doesn’t run as root).
root,bin,daemon,embedded,service,nobody,sshd,ilinkacc
I then used burpsuite to bruteforce the web administrator login page using each of the accounts, this was taking ages due to the response time of the device.
I finally managed to get in using the undocumented account of service with a password of ser001.
Good luck.
To ensure that this password was the factory set password i then googled for the password, the only documented place i could find this password was here and here(pg174).
P.s. The service account is not listed in the ManageAccess–>Users page so it’s a hidden and undocumented backdoor account.
CVE-2012-1844 states the following: The Quantum Scalar i500 tape library with firmware before i7.0.3 (604G.GS00100), also distributed as the Dell ML6000 tape library with firmware before A20-00 (590G.GS00100) and the IBM TS3310 tape library with firmware before R6C (606G.GS001), uses default passwords for unspecified user accounts, which makes it easier for remote attackers to obtain access via unknown vectors.
The only problem with this is for me to verify the issue I needed the username and password, neither of which were given. great, googling didn’t help either.
I was able to get access to the /etc/passwd file using a directory traversal vulnerability(CVE-2012-1841) so I now had a range of user I could target. http://192.168.0.100/logShow.htm?file=/etc/passwd (attempts to get /etc/shadow were failing, I guess the web server doesn’t run as root).
root,bin,daemon,embedded,service,nobody,sshd,ilinkacc
I then used burpsuite to bruteforce the web administrator login page using each of the accounts, this was taking ages due to the response time of the device.
I finally managed to get in using the undocumented account of service with a password of ser001.
Good luck.
To ensure that this password was the factory set password i then googled for the password, the only documented place i could find this password was here and here(pg174).
P.s. The service account is not listed in the ManageAccess–>Users page so it’s a hidden and undocumented backdoor account.