BINOM3 Power Meter CSRF / XSS / Credential Management

`*Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple  
Vulnerabilities*  
  
*About*  
The meters are designed for autonomous operation in automated systems:  
aC/ SCADA systems  
aC/ Data aquisition and transmission systems  
aC/ Automated data and measurement systems for revenue and technical power  
metering  
aC/ Power quality monitoring and control systems  
aC/ Automated process control systems, Management information system  
  
+++++  
*Submitted to ICS-CERT *- May 25, 2016.  
*No response from vendor till date.*  
+++++  
  
*Vulnerability Information*  
  
*HTTP*  
  
1. *Reflected **XSS* a multiple urls, parameters  
Successful exploitation of this vulnerability could allow an  
unauthenticated as well as authenticated, attacker to inject arbitrary  
JavaScript in a specially crafted URL request where the response containing  
user data is returned to the web browser without being made safe to display.  
  
2. *Stored **XSS* a multiple urls, parameters  
Successful exploitation of this vulnerability could allow an authenticated  
attacker to inject arbitrary JavaScript in specific input fields, which get  
stored in the underlying db, and once accessed, the data including  
malicious scripts, is returned to the web browser leading to script  
execution.  
  
3. *Weak Credentials Management *  
The device comes configured with four (4) login accounts:  
- admin / 1  
- user / 1  
- alg / 1  
- telem / 1  
  
3a) These passwords do not meet even basic security criterion.  
3b) To further make it easier for attacker(s), the application design does  
not provide the users, any option to change their own passwords in device  
management portal. Only 'root' can change passwords for all other accounts.  
(AFAIK)  
  
4.* Undocumented root account *  
In addition to the above four documented login accounts, there is a 'root'  
superuser account:  
- root / root  
- root account details are not documented in the device administration  
guide or manuals  
- root account has multiple, additional functions accessible like user  
management  
  
5. *Sensitive Information stored in clear-text *  
- all user passwords are stored / viewable in clear-text  
  
Additionally, specific non-root, non-privileged users can access complete  
device configuration file, which contains clear-text passwords and other  
config information. This flaw can be used to gain privileged access to the  
device.  
  
6*. Vulnerable to Cross-Site Request Forgery *  
  
There is no CSRF Token generated per page and / or per (sensitive)  
function. Successful exploitation of this vulnerability can allow silent  
execution of unauthorized actions on the device such as configuration  
parameter changes, and saving modified configuration.  
  
7. *Sensitive information leakage*  
  
Every time aroota logs in, a GET request is made to a specific url to  
access password configuration file.  
  
Response comes as xml data, and contains all accounts and their passwords.  
As, by default, the management portal is configured for HTTP, a suitably  
positioned attacked can sniff all login credentials, and gain privileged  
access.  
  
*Telnet *  
  
1. *Access Control Issues*  
By default, password authentication is not enabled on Telnet access (AFAIK).  
- This access gives superuser-level access to device  
- Access to the device provides detailed info on application,  
configuration, device file system, databases (including Energy & billing),  
consumption, Statistics, network information, as well as clear-text creds  
(FTP)  
- Easy vector to device & data compromise  
  
+++++  
  
  
`