InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access

2016-10-28T00:00:00
ID ZSL-2016-5371
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-10-28T00:00:00

Description

Title: InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
Advisory ID: ZSL-2016-5371
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 28.10.2016

Summary

InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management.

Description

InfraPower suffers from a use of hard-coded credentials. The IP dongle firmware ships with hard-coded accounts that can be used to gain full system access (root) using the telnet daemon on port 23.

Vendor

Austin Hughes Electronics Ltd. - <http://www.austin-hughes.com>

Affected Version

Q213V1 (Firmware: V2395S)

Tested On

Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10

Vendor Status

[27.09.2016] Vulnerability discovered.
[03.10.2016] Vendor contacted.
[04.10.2016] Vendor responds asking more details.
[04.10.2016] Sent details to the vendor.
[06.10.2016] Vendor has released a new firmware version that addresses these issues.
[28.10.2016] Public security advisory released.

PoC

infrapower_hardcoded.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/40643/>
[2] <https://packetstormsecurity.com/files/139420>
[3] <https://cxsecurity.com/issue/WLB-2016100262>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/118415>

Changelog

[28.10.2016] - Initial release
[31.10.2016] - Added reference [1], [2] and [3]
[02.11.2016] - Added reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;