InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access

Title: InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
Advisory ID: ZSL-2016-5371
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 28.10.2016
Summary
InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management.
Description
InfraPower suffers from a use of hard-coded credentials. The IP dongle firmware ships with hard-coded accounts that can be used to gain full system access (root) using the telnet daemon on port 23.
Vendor
Austin Hughes Electronics Ltd. - http://www.austin-hughes.com
Affected Version
Q213V1 (Firmware: V2395S)
Tested On
Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vendor Status
[27.09.2016] Vulnerability discovered.
[03.10.2016] Vendor contacted.
[04.10.2016] Vendor responds asking more details.
[04.10.2016] Sent details to the vendor.
[06.10.2016] Vendor has released a new firmware version that addresses these issues.
[28.10.2016] Public security advisory released.
PoC
infrapower_hardcoded.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40643/
[2] https://packetstormsecurity.com/files/139420
[3] https://cxsecurity.com/issue/WLB-2016100262
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/118415
Changelog
[28.10.2016] - Initial release
[31.10.2016] - Added reference [1], [2] and [3]
[02.11.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk