NIBE Heat Pumps exploit code for RCE & LFI with root rights
Fredrik and Mathias wrote in an earlier post today about possible vulnerabilities in the NIBE heat pumps, i am lucky a friend of mine has one so i could play around in it for some time.
Fredrik was talking about the following possible vulnerabilities:
- Local file inclusion
- Remote code execution
I found both of them, the local file inclusion is here:
/cgi-bin/read.cgi?page=<LFI>
And the RCE is here:
/cgi-bin/exec.cgi?script=; <command>
Note that the space is important, it bypasses an annoying filter.
Fredrik also noted that the web interface is running though root rights which is pretty nice.
If you don't have the password you can simply use these exploits as cross site request forgery (CSRF) exploits which will give you instant root rights when exploited correctly.
To turn the LFI in a reliable CSRF attack you can inject /var/log/messages with fake user logins, do some nifty requests to the RCE exploit and try to get the admin to this url: "/cgi-bin/read.cgi?page=../../var/log/messages".
These are the steps in detail:
- go to the heat pump through your favorite web browser.
- do a fake authentication with the javascript in the username field; in the javascript put requests to the RCE exploit.
- get the administrator to log in on the pump and go to "/cgi-bin/read.cgi?page=../../var/log/messages"
- you now should have root rights 
I wrote 2 remote exploits for both vulnerabilities, the LFI can be found here and the RCE here.
Edit:
A collection of the two exploits can be found here.
5 Comments
-
-
-
-
-
Fredrik Nordberg Almroth says:
...if you do throw it in the ocean; then don't forget to bring a towel!
Hello, I am Jelmer born in 1991 and I live in Holland. I met Fredrik and Mathias through the internet. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.