← Advisories

InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution

Critical
Advisory ID
ZSL-2016-5372
Release Date
28 October 2016
Vendor
Austin Hughes Electronics Ltd. - http://www.austin-hughes.com
Affected Version
Q213V1 (Firmware: V2395S)
CVE
N/A
Tested On
Linux 2.6.28 (armv5tel), lighttpd/1.4.30-devel-1321, PHP/5.3.9, SQLite/3.7.10
Summary

InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management.

Description

InfraPower suffers from multiple unauthenticated remote command injection vulnerabilities. The vulnerability exist due to several POST parameters in several scripts not being sanitized when using the exec(), proc_open(), popen() and shell_exec() PHP function while updating the settings on the affected device. This allows the attacker to execute arbitrary system commands as the root user and bypass access controls in place.

Proof of Concept
infrapower_root.txtTXT
Disclosure Timeline
27.09.2016Vulnerability discovered.
03.10.2016Vendor contacted.
04.10.2016Vendor responds asking more details.
04.10.2016Sent details to the vendor.
06.10.2016Vendor has released a new firmware version that addresses these issues.
28.10.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/40640/
[2]https://packetstormsecurity.com/files/139417
[3]https://cxsecurity.com/issue/WLB-2016100259
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/118424
Changelog
28.10.2016Initial release
31.10.2016Added reference [1], [2] and [3]
02.11.2016Added reference [4]