Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
696a2f585889198281712122b18fb8e5.png
Dmue0UlXcAAaqEY.jpg large.jpg
DmuevSvX0AAQMm8.jpg large.jpg
DmugAUOW0AAYdV3.jpg large.jpg
dictionary.txt
exploit.py
readme.md

readme.md

Cir-PWN-life

Cir-PWN-life is proof of concept for exploiting multiple vulnerabilities affecting Circontrol products in an automated way.

alt text

CVE Description
CVE-2018-12634 CirCarLife Scada < v4.3 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI.
CVE-2018-16668 CirCarLife Scada < v4.3 internal installation path disclosure.
CVE-2018-16669 Due to a clear-text stored credentials, an unprivileged user can gain access to other services with higher privileges exploiting a flaw on Open Charge Point Protocol web implementation. All versions prior to <1.5.0 are vulnerable.
CVE-2018-16670 CirCarLife Scada < v4.3 allows remote attackers to obtain the status of PLCs used at charge stations.
CVE-2018-16671 CirCarLife Scada < v4.3 allows remote attackers to obtain software and hardware versions.
CVE-2018-16672 CirCarLife Scada < v4.3 allows remote authenticated attackers to obtain critical details about the carge station including credentials for GPRS Router.

Finding targets

Engine Dork Results
Shodan Server: CirCarLife 506
Shodan Server: PsiOcppApp 1057
Zoomeye "Server: CirCarLife Scada" 984

alt text alt text alt text

Bruteforce module

Bruteforce module can be started entering b as user when it's requested Bruteforce dictionary format -> username:password Default credentials -> admin:1234

Timeline

  • 2018/06/21 - CVE-2018-12634 CVE assigned
  • 2018/09/04 - Vendor contacted without response
  • 2018/09/06 - CVE-2018-16668 - 16672 CVE assigned
  • 2018/09/06 - Spanish government CERT contacted for coordinated disclosure and further contact with the vendor to publish a patch.
  • 2018/09/10 - POC published

Last update: 2018/09/10. No patch available

You can’t perform that action at this time.