Solar-Log Multiple Vulnerabilities

Vendor: Solare Datensysteme GmbH
Product: Solar-Log1000 (User Manual)
Shodan: “Server: IPC@CHIP
ICS-CERT Reference: ICS-VU-599048

Defaults

Dial in password:

The password is “solarlog”, but this should be changed.

“Data import” section:

User name: solarlog
Password: solarlog

The web interface does not appear to have a default password and doesn’t make the admin create one.

Information Disclosure

There are information disclosure issues in the Solar-Log200, Solar-Log800, and Solar-Log1000. By default the web interface doesn’t require authentication so all of this is displayed to anyone! Instead of protecting the information, it relies on client-side obfuscation to hide sensitive information. This is all sent over HTTP by default, so no SSL protection either.

http://host/email.html – SMTP Server, User name, Password, E-mail address:

<td width=”200″>SMTP server</td>
<td><input name=”smtp” id=”smtp” maxlength=”59″ type=”text” class=”einzeilig” value=”home.solarlog-web.eu:587″ /></td>
[..]
<td>User name</td>
<td><input name=”user” id=”user” maxlength=”59″ type=”text” class=”einzeilig” value=”logpac@oelmaier-technology.com” /></td>
[..]
<td>Password</td>
<td><input name=”password” id=”password” maxlength=”20″ type=”password” class=”einzeilig” value=”e1ffd0cb” /></td>
[..]
<td>E-mail address from</td>
<td><input name=”email_von” id=”email_von” maxlength=”59″ type=”text” class=”einzeilig” value=”gebruikersnaam@home.solarlog-web.eu” /></td>

http://hosts/sms.html – User name, Password

<td>User name</td>
<td><input name=”user” id=”user” maxlength=”59″ type=”text” class=”einzeilig” value=”benutzername” /></td>
[..]
<td>Password</td>
<td><input name=”password” id=”password” maxlength=”20″ type=”password” class=”einzeilig” value=”passwort” /></td>

http://host/backup.html – FTP Server, User name, Password

<td width=”200″>FTP server</td>
<td><input name=”ftp” id=”ftp” maxlength=”59″ type=”text” class=”einzeilig” value=”home.solarlog-web.nl” /></td>
[..]
<td>User name</td>
<td><input name=”user” id=”user” maxlength=”59″ type=”text” class=”einzeilig” value=”username” /></td>
[..]
<td>Password</td>
<td><input name=”password” id=”password” maxlength=”20″ type=”password” class=”einzeilig” value=”password” /></td>

http://host/export.html – FTP Server, User name, Password

<td width=”200″>FTP server</td>
<td><input name=”ftp” id=”ftp” maxlength=”59″ type=”text” class=”einzeilig” value=”home.solarlog-web.nl” /></td>
[..]
<td>User name</td>
<td><input name=”user” id=”user” maxlength=”59″ type=”text” class=”einzeilig” value=”f0071dd2″ /></td>
[..]
<td>Password</td>
<td><input name=”password” id=”password” maxlength=”59″ type=”password” class=”einzeilig” value=”hupupuvesu” /></td>

http://host/lan.html – Internal IP Address, Gateway Address

<td width=”200″>IP address</td>
<td><input name=”ip” size=”16″ maxlength=”15″ type=”text” class=”einzeiligshort” id=”ip” value=”192.168.1.21″ /></td>
[..]
<td>Gateway</td>
<td><input name=”gateway” size=”16″ maxlength=”15″ type=”text” class=”einzeiligshort” id=”gateway” value=”192.168.1.1″ /></td>

####

Discovered: 2013-02-03
Research/Verification: 2013-04-10
ICS-CERT Informed: 2013-04-11
ICS-CERT says not a vulnerability: 2013-04-25 – “We consider hard-coded (unchangeable) passwords to be a vulnerability, but we do not consider documented changeable default passwords to be a vulnerability.”

Advertisements

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: