Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Overview

Authenticated Remote Code Execution via firmware upgrade function.

Product and Version

Product Affected Mitigated
Nova 360 Cabinet <= 1.3.0.0.7b102 Beta1.3.0.1.0
Titan 180 Premium <= 1.3.0.0.6 1.3.0.0.9

Description

The charger firmware is upgraded by providing a zip file, then /ubi/local/apps/ocpp/ocpp will service the actual process. The service doesn't have any validation/authentication check against provided archive. Authenticated user can upload the crafted archive to totally compromise the device (there are several ways to upgrade, including via web interface).