OS Command Injection

16 May 2017

[ICS] Satel SenNet ICS-CERT advisory released

Recently, I had posted about multiple security vulnerabilities in SenNet Data Logger appliances and Electricity Meters -
https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/

ICS-CERT finally released the advisory on May 11, 2017:
https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02

Read on for more details.

Read more

07 Apr 2017

[ICS] SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

About
SenNet is a trademark of Satel Spain that offers monitoring and remote-control solutions for businesses. Our engineers develop, integrate and test the products of SenNet in our facilities in Madrid (Spain).
http://www.sennetmonitoring.com/wp-content/uploads/2016/05/Datasheet_owa31I-.pdf

VULNERABILITY DETAILS
1. No access control on the remote shell
2. Shell services running with excessive privileges (superuser)
3. OS Command Injection
4. Insecure Transport

Read on for poc.

Read more

02 Mar 2016

[ICS] Schneider Electric Building Operation Automation Server Multiple Vulnerabilities

Details of my security report on Schneider Electric Building Operation Automation Server are documented here. The vulnerability disclosure and handling assistance from Schneider Electric team was commendable. However, from a security practices point of view, one of the aspects they seem to rely upon is Security through obscurity AND blind trust in the device users/administrators, ignoring the fact that both of these are bad concepts to run with.

CVE-ID
CVE-2016-2278

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01

Read on.

Read more

29 Jan 2016

[ICS] GEDE UPS SNMP Adapter Vulnerabilities

On a recent pentest, I found few vulnerabilities in GE Industrial Solutions - UPS SNMP Adapter. Successful exploitation can lead to arbitrary command execution as superuser on the device, and sensitive information leakage.

GE Advisory: http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf

ICS-CERT Advisory:
https://ics-cert.us-cert.gov/advisories/ICSA-16-033-02

Affected Products
• All SNMP/Web Interface cards with firmware version prior to 4.8 manufactured by GE Industrial Solutions.

CVE-IDs
CVE-2016-0861
CVE-2016-0862

Read on for details and poc.

Read more

28 Nov 2015

Cambium ePMP 1000 – Multiple vulnerabilities

A couple of weeks back, I came across Cambium ePMP devices. I found multiple vulnerabilities in Cambium ePMP 1000 devices, and as always, attempted to work with the vendor. But you know how most vendor(s) handle a responsible disclosure. Poorly.

Hence, documenting these findings and proof of concepts now.

Read on for details.

Read more