InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
Title: InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
Advisory ID: ZSL-2016-5372
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 28.10.2016
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
[03.10.2016] Vendor contacted.
[04.10.2016] Vendor responds asking more details.
[04.10.2016] Sent details to the vendor.
[06.10.2016] Vendor has released a new firmware version that addresses these issues.
[28.10.2016] Public security advisory released.
[2] https://packetstormsecurity.com/files/139417
[3] https://cxsecurity.com/issue/WLB-2016100259
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/118424
[31.10.2016] - Added reference [1], [2] and [3]
[02.11.2016] - Added reference [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5372
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 28.10.2016
Summary
InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management.Description
InfraPower suffers from multiple unauthenticated remote command injection vulnerabilities. The vulnerability exist due to several POST parameters in several scripts not being sanitized when using the exec(), proc_open(), popen() and shell_exec() PHP function while updating the settings on the affected device. This allows the attacker to execute arbitrary system commands as the root user and bypass access controls in place.Vendor
Austin Hughes Electronics Ltd. - http://www.austin-hughes.comAffected Version
Q213V1 (Firmware: V2395S)Tested On
Linux 2.6.28 (armv5tel)lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vendor Status
[27.09.2016] Vulnerability discovered.[03.10.2016] Vendor contacted.
[04.10.2016] Vendor responds asking more details.
[04.10.2016] Sent details to the vendor.
[06.10.2016] Vendor has released a new firmware version that addresses these issues.
[28.10.2016] Public security advisory released.
PoC
infrapower_root.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/40640/[2] https://packetstormsecurity.com/files/139417
[3] https://cxsecurity.com/issue/WLB-2016100259
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/118424
Changelog
[28.10.2016] - Initial release[31.10.2016] - Added reference [1], [2] and [3]
[02.11.2016] - Added reference [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk