Date: 2021-01-18
Author: Kevin2600
CVE:
Version: XP-JAVA 2.0
Vendor: https://kaco-newenergy.com
Attack Vector:
The correct credentials will be returned in plain-text from the local server, during the authentication process. Regardless of whatever the passwords have been provided.
Reproduce Steps:
1: Sniffing the authentication process of XP100U by using Wireshark or TCPDump.
2: A request “aci_request_code type=’int’>31<” is sent by XP100U Client.
3: By reversing the java application, we can found that code 31 is used for GET_PASSWORD. And the funny part is this request actually send to the local server.
4: And regardless of whatever the passwords have been provided. The correct credentials will always be returned in PLAIN-TEXT.
Impact-Level:
From search engine Shodan. Currently, around 172 devices exposed to the public on the Internet.
Vendor Response:
The Vendor KACO has been contacted. However no response from them :(
Reference:
https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-15-224-01
