Title: InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
Advisory ID: ZSL-2016-5371
Impact: System Access
Release Date: 28.10.2016
InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management.
InfraPower suffers from a use of hard-coded credentials. The IP dongle firmware ships with hard-coded accounts that can be used to gain full system access (root) using the telnet daemon on port 23.
Austin Hughes Electronics Ltd. - <http://www.austin-hughes.com>
Q213V1 (Firmware: V2395S)
Linux 2.6.28 (armv5tel)
[27.09.2016] Vulnerability discovered.
[03.10.2016] Vendor contacted.
[04.10.2016] Vendor responds asking more details.
[04.10.2016] Sent details to the vendor.
[06.10.2016] Vendor has released a new firmware version that addresses these issues.
[28.10.2016] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <email@example.com>
[28.10.2016] - Initial release
[31.10.2016] - Added reference ,  and 
[02.11.2016] - Added reference 
Zero Science Lab
REQUEST LIMIT REACHED