CyberDanube Security Research, 20221130-1
Authenticated Command Injection
product| Delta Electronics DVW-W02W2-E2
vulnerable version| V2.42
by| T. Weber (Office Vienna)
CyberDanube Security Research
| Vienna | St. Polten
“Delta was founded in 1971 and is a worldwide provider of thermal energy and power.
solutions. The company’s mission is “To Provide Innovative, Clean and Energy-Efficient Solutions.”
“Effective solutions for a Better Tomorrow” focuses on key issues.
Environmental issues like global climate change are important. Energy-saving
Solutions provider that has core competences in power electronics
Delta has three business segments: Power Electronics and Automation.
DVW-W02W2-E2 / V2.42
Overview of vulnerability
1) Inject Authenticated Command
An authenticated command injection is possible on the web server.
This allows attackers to have full access to the operating system
The device must have all consequences. Such a device can be used as a key
An industrial network that controls critical equipment using serial communication.
An attempt to cause more damage to the network may result in greater destruction.
The Proof of the Concept
1) Injection of Authenticated Command
A POST authenticated command injection is possible on the web server
parameters. Only if “timestamp”, the parameter, is used.
You can find the URL. This proof-of concept shows you how to make a port binding.
Shell on port 8889 to connect with an “utelnetd” listener
POST /apply.cgi?/MT_ping.htm%20timestamp=$correct-timestamp$ HTTP/1.1
Accept-Encoding: gzip, deflate
The command “netcat”, which allows you to access the device’s information, can be used.
$ nc 192.168.3.150 8889
BusyBox version 1.4.2 (2016-08-18 22.45:41 EDT). Built-in shell. (ash)
For a complete list of commands, enter ‘help’
This vulnerability was verified manually on an emulated device using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Upgrade to V2.5.2 firmware
You can work around it
CyberDanube suggests that Delta Electronics customers upgrade their computers
The latest version is available.
Get in touch with us
2022-08-02: Contacting Delta Electronics.
2022-08-16 : Security Contact asked few questions about responsible
Disclosure; Sent responses
2022-08-30: We are requesting an update.
2022/09/01: Vendor replied that they would need to take more time in order to solve the issue.
Issues; Additional 30 Days (until 0222-11-02)
2022-10-12: Vendor replied that the fixing would be performed 2022-11-15; Shifted
Release date at this time
2022-10-16 – Vendor has moved the release date to 2022-11-18 Shifted
Release date: The same day.
2022-10-18 – Asked for an upgrade and moved the release date to 2022-10-22
2022-10-19: Vendor replied that the release of the document was not possible.
Contact informed us that the patch would delay to end of
2022-10-21: I asked the vendor for a specific release date.
2022-10-28 : Vendor has been advised of an advisory release date for 2022-10-30.
2022-10-30: Found firmware patches with the issue date of 2022-11-25 at vendors
2022-10-30 Coordination of release
Email: cyberdanube at com
EOF T. Weber / @2022