Skip to content

Latest commit

 

History

History
112 lines (83 loc) · 3.51 KB

CVE-2023-30399.md

File metadata and controls

112 lines (83 loc) · 3.51 KB
Raw

Garo Web Console Getshell

CVE-ID

CVE-2023-30399

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30399

Vendors

http://garocharging.com/glb-wallbox/ https://www.garo.se/

image-20221128213612177

Description

GARO Wallbox series products are a type of charging pile products for the Internet of Things.

The web console of GARO GLB Wallbox series products has unauthorized access to the update interface. From the setting page, you can obtain the firmware address and update the SoftWare permissions. Obtain device management permissions by deploying the Tomcat war package in the custom update package.

Vendor of the products: GARO Wallbox GLB/GTB/GTC

Vulnerable Version: <=189

Vulnerability Type: Remote code execution

Proof of concept: Firmware update API without authentication

Vulnerability Details

The firmware address can be obtained on this page(http://target:8080/serialweb/#settings), and a man-in-the-middle attack can be used to modify the address to a malicious update package link.

image-20221128214620208

The firmware update address and the latest version are as follows:

image-20221128214247215

Download the firmware update package and analyze the directory structure:

chargebox_189.tgz

├── META-INF
│   └── MANIFEST.MF
├── PENDING_UPDATE
├── SerialService.jar
├── cacerts
├── chargebox_firmware.bin
├── chargebox_firmware_1E9703.bin
├── chargebox_firmware_1E9801.bin
├── checkonline
├── checkusbhdd
├── config.txt_img
├── default
├── dnsmasq.conf
├── downloadandupdate.sh
├── factoryreset
├── hostapd.conf_img
├── hosts
├── init_firmware.bin
├── iptables.ipv4.forward
├── java.security
├── log
├── log4j.properties
├── prepimage.sh
├── rebuilddatabase
├── resetifoffline
├── restarteth.sh
├── rfidbackup.war
├── serialservice
├── serialweb.war
├── support.sh
├── switchwifi
├── switchwifi_new
├── tzdata-latest.tar.gz
├── tzupdater.jar
├── update
│   ├── META-INF
│   │   └── MANIFEST.MF
│   ├── WEB-INF
│   │   ├── classes
│   │   │   ├── UpdaterServlet.class
│   │   │   └── UploadServlet.class
│   │   └── lib
│   │       ├── commons-fileupload-1.3.2.jar
│   │       └── commons-io-2.5.jar
│   ├── index.html
│   └── test.jsp
├── update.war
├── update189.sh
├── updaterscript.sh
├── wpa_supplicant.conf_img
└── ziplogs

Analyze update.war to get the logic of remote update and local update.

The local update interface can be accessed without authentication.

image-20221128215340840

Therefore, attackers can construct malicious update packages to execute commands and obtain device permissions.

The uploaded Chargebox_189.tgz update package contains a malicious update.war, and everything else remains unchanged.

image-20221128215609064

A malicious update package is uploaded on the update interface. After the update is completed, the test.jsp constructed by the attacker is deployed to the device service.

image-20221128215646764