Posts Tagged ‘Solar’

Growatt Shine WebBox Default Admin Credentials

January 25, 2016

shine-webbox

Shine WebBox installs with a default admin account according to the manual (admin / 123456). This allows remote attacker to do everything from gain internal IP to fully control the device.

shinewebbox1

shinewebbox2

Kostal Solar PIKO BA Storage System Web Interface Default Admin Credentials

January 15, 2014

The Kostal Solar PIKO BA Storage System contains default admin credentials for the web interface according to the manual.

Webserver aufrufen
1. Internetbrowser starten.
2. In die Adresszeile des Browsers die IP-Adresse des Wechselrichters eintragen und mit „Return“ bestätigen.
Die Eingabemaske für die Zugangs daten öffnet sich.
3. In der Eingabemaske sind standardmäßig folgende
Logindaten voreingestellt:
Benutzername: pvserver
Passwort: pvwr
Geben Sie Benutzername und Passwort ein.

Kostal Solar PIKO-Inverters Default Admin Credentials

January 8, 2014

Kostal Solar PIKO-Inverters (Shodan search), versions 3.0, 3.6, 4.2, 5.5, 7.0, 8.3, and 10.1 contain default admin credentials for the web interface according to the manual.

7.2.1 Connecting to the web server of the inverter
..
Enter user name and password. The factory defaults for user name and password are set as follows:
User name: pvserver
Password: pvwr

piko1

IBC Solar – Multiple Vulnerabilities

October 1, 2013

I caught a few IBC Solar ServeMaster TLP+ installations off the Danfoss Shodan search and it seems to have the same vulnerabilities plus a few. They use the same underlying server and same layout for the web pages so I think it is just different branding? You can login with the defaults of admin / admin.

Login screen:

ibcsolar01

Under Setup -> Communication -> SMTP setup (/cgi-bin/setup_comm_smtp.tcl), the credentials of a mail server are stored in plain text. If the default admin login is not changed then an attacker can gain credentials of another server:

ibcsolar02

The request is made over HTTP via the GET method, not SSL:

ibcsolar03

The response is in the clear as seen in a proxy:

ibcsolar04

Under Setup -> Communication -> Portal upload (/cgi-bin/setup_comm_dw.tcl), the credentials of the FTP server are stored in plain text too:

ibcsolar05

Under Setup -> Communication -> GSM Modem (/cgi-bin/setup_comm_gprs.tcl), the credentials of the FTP server are stored in plain text too:

ibcsolar06

Danfoss Solar Inverters – Multiple Vulnerabilities

September 30, 2013

Danfoss Solar Inverters contain a couple vulnerabilities, found in a saved Shodan search. The notes for the search said “mostly TLX series (6-15 kW / inverter)” and the default credentials are admin / admin, which I verified. After that, there is another problem:

Login screen:

danfoss01

Under Setup -> Communication, the credentials of a mail server are stored in plain text. If the default admin login is not changed then an attacker can gain credentials of another server:

danfoss02

The request is made over HTTP via the GET method, not SSL:

danfoss03

The response is in the clear as seen in a proxy:

danfoss04

Sinapsi eSolar Default Credentials

September 26, 2013

Ran across another saved search in Shodan this time for Sinapsi eSolar. A web interface to monitor solar power generation, mostly in Italy. Also a good reminder how so many other countries embrace solar power generation while we are so far behind! The default credentials are admin / admin:

You are given an option to access “free” (no login required) for basic info:

esolar0

esolar2-free_access

If you log in as admin (password admin) you get full access including to web cameras that monitor the equipment, if installed:

esolar1

Solar-Log Multiple Vulnerabilities

September 6, 2013

Vendor: Solare Datensysteme GmbH
Product: Solar-Log1000 (User Manual)
Shodan: “Server: IPC@CHIP
ICS-CERT Reference: ICS-VU-599048

Defaults

Dial in password:

The password is “solarlog”, but this should be changed.

“Data import” section:

User name: solarlog
Password: solarlog

The web interface does not appear to have a default password and doesn’t make the admin create one.

Information Disclosure

There are information disclosure issues in the Solar-Log200, Solar-Log800, and Solar-Log1000. By default the web interface doesn’t require authentication so all of this is displayed to anyone! Instead of protecting the information, it relies on client-side obfuscation to hide sensitive information. This is all sent over HTTP by default, so no SSL protection either.

http://host/email.html – SMTP Server, User name, Password, E-mail address:

<td width=”200″>SMTP server</td>
<td><input name=”smtp” id=”smtp” maxlength=”59″ type=”text” class=”einzeilig” value=”home.solarlog-web.eu:587″ /></td>
[..]
<td>User name</td>
<td><input name=”user” id=”user” maxlength=”59″ type=”text” class=”einzeilig” value=”logpac@oelmaier-technology.com” /></td>
[..]
<td>Password</td>
<td><input name=”password” id=”password” maxlength=”20″ type=”password” class=”einzeilig” value=”e1ffd0cb” /></td>
[..]
<td>E-mail address from</td>
<td><input name=”email_von” id=”email_von” maxlength=”59″ type=”text” class=”einzeilig” value=”gebruikersnaam@home.solarlog-web.eu” /></td>

http://hosts/sms.html – User name, Password

<td>User name</td>
<td><input name=”user” id=”user” maxlength=”59″ type=”text” class=”einzeilig” value=”benutzername” /></td>
[..]
<td>Password</td>
<td><input name=”password” id=”password” maxlength=”20″ type=”password” class=”einzeilig” value=”passwort” /></td>

http://host/backup.html – FTP Server, User name, Password

<td width=”200″>FTP server</td>
<td><input name=”ftp” id=”ftp” maxlength=”59″ type=”text” class=”einzeilig” value=”home.solarlog-web.nl” /></td>
[..]
<td>User name</td>
<td><input name=”user” id=”user” maxlength=”59″ type=”text” class=”einzeilig” value=”username” /></td>
[..]
<td>Password</td>
<td><input name=”password” id=”password” maxlength=”20″ type=”password” class=”einzeilig” value=”password” /></td>

http://host/export.html – FTP Server, User name, Password

<td width=”200″>FTP server</td>
<td><input name=”ftp” id=”ftp” maxlength=”59″ type=”text” class=”einzeilig” value=”home.solarlog-web.nl” /></td>
[..]
<td>User name</td>
<td><input name=”user” id=”user” maxlength=”59″ type=”text” class=”einzeilig” value=”f0071dd2″ /></td>
[..]
<td>Password</td>
<td><input name=”password” id=”password” maxlength=”59″ type=”password” class=”einzeilig” value=”hupupuvesu” /></td>

http://host/lan.html – Internal IP Address, Gateway Address

<td width=”200″>IP address</td>
<td><input name=”ip” size=”16″ maxlength=”15″ type=”text” class=”einzeiligshort” id=”ip” value=”192.168.1.21″ /></td>
[..]
<td>Gateway</td>
<td><input name=”gateway” size=”16″ maxlength=”15″ type=”text” class=”einzeiligshort” id=”gateway” value=”192.168.1.1″ /></td>

####

Discovered: 2013-02-03
Research/Verification: 2013-04-10
ICS-CERT Informed: 2013-04-11
ICS-CERT says not a vulnerability: 2013-04-25 – “We consider hard-coded (unchangeable) passwords to be a vulnerability, but we do not consider documented changeable default passwords to be a vulnerability.”