← Advisories

Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit

Medium
Advisory ID
ZSL-2014-5216
Release Date
14 December 2014
Vendor
Soitec - http://www.soitec.com
Affected Version
1.4 and 1.3
CVE
N/A
Tested On
nginx/1.6.2
Summary

Soitec power plants are a profitable and ecological investment at the same time. Using Concentrix technology, Soitec offers a reliable, proven, cost-effective and bankable solution for energy generation in the sunniest regions of the world. The application shows how Concentrix technology works on the major powerplants managed by Soitec around the world. You will be able to see for each powerplant instantaneous production, current weather condition, 3 day weather forecast, Powerplant webcam and Production data history.

Description

Soitec SmartEnergy web application suffers from an authentication bypass vulnerability using SQL Injection attack in the login script. The script fails to sanitize the 'login' POST parameter allowing the attacker to bypass the security mechanism and view sensitive information that can be further used in a social engineering attack.

Proof of Concept
smartenergy_sqli.txtTXT
Disclosure Timeline
16.11.2014Vulnerability discovered.
02.12.2014Vendor contacted.
08.12.2014Vendor responds asking more details.
08.12.2014Sent details to the vendor.
09.12.2014Vendor confirms the vulnerability.
12.12.2014Vendor applies fix to version 1.4.
14.12.2014Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://smartenergy.soitec.com
[2]http://cxsecurity.com/issue/WLB-2014120086
[3]http://www.exploit-db.com/exploits/35529/
[4]http://packetstormsecurity.com/files/129588
[5]http://osvdb.org/show/osvdb/115958
[6]http://xforce.iss.net/xforce/xfdb/99356
Changelog
14.12.2014Initial release
15.12.2014Added reference [3]
16.12.2014Added reference [4]
17.12.2014Added reference [5]
27.12.2014Added reference [6]