- #Eaton intelligent power manager default login driver#
- #Eaton intelligent power manager default login software#
The null character is also needed to remove the trailing “.drv” extension from the maliciously crafted path.The IPP_How_to_Hyper_V_R1R2_env.pdf provides the following information: By sending these two requests, the attacker can delete any file on the target system by employing directory traversal characters and the null character (%00).
#Eaton intelligent power manager default login driver#
The attacker then needs to send the second request where the driver ID, that was added when the first request was processed, is omitted from the request thereby initiating the code that will delete that file.However, the overwritten content would be in JSON format and not fully controlled by the attacker. While processing this first request, the code will proceed to overwrite that file with the data provided in the data request parameter. In the first request, the attacker will send a malicious request containing driver ID that is a path to the file that is to be deleted.*Note that the attacker will have to send two requests. Therefore, the attacker can send the requests where the driver ID key in JSON data contains directory traversal characters.
The problem with this code is the fact that it utilizes the driver ID keys in the provided JSON data to delete or create “.drv” file in the “configs/drivers” directory while not checking for directory traversal characters in the driver ID key. Namely, it will create the new “.drv” file in the “configs/drivers” directory with the provided JSON data in the request. Afterwards, it will add the data for each driver ID found in the JSON data that is not present in the driverList data structure. The code makes a call to function deleteDriver() in the MetaDriverManager Javascript file to do the file deletion. If it is not present, the code will delete the file in the “configs/ drivers” directory where the file name matches the driver ID that was not present in the JSON data. This directory maintains files where each file contains information about a driver ID and the file name is in the form of “X.drv”, where X is the driver ID.Īfter parsing the JSON data in the data request parameter, the code will then check if any driver ID in the driverList data structure is or is not present in the JSON data. The code maintains the driverList list data structure in MetaDriverManager Javascript object that collects all driver IDs that are currently known to the application and can be found in the “configs/drivers/” directory. When a user sends a HTTP request to this endpoint, the code in meta_driver_srv.js will parse the JSON data in the data request parameter. The vulnerability is due to missing authentication check and missing input validation in the HTTP requests sent to “/server/ meta_driver_srv.js” endpoint.
The web interface can be accessed over HTTP or HTTPS on ports 46, respectively.Īn arbitrary file deletion vulnerability exists in Eaton Intelligent Power Manager. The main program mc2 contains compressed Javascript code which is relevant for understanding this vulnerability. Successful exploitation of these vulnerabilities could allow attackers to delete arbitrary files on the target system. A remote unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted packet. The vulnerability is due to missing input validation in meta_driver_srv.js.
#Eaton intelligent power manager default login software#
This software solution ensures system uptime and data integrity by enabling remote monitoring, managing and controlling devices on the network.Īn arbitrary file deletion vulnerability has been reported in Eaton Intelligent Power Management and Eaton Intelligent Power Protector. Eaton’s Intelligent Power Manager (IPM) software provides the tools needed to monitor and manage power devices in your physical or virtual environment keeping devices up and running during a power or environmental event.
0 kommentar(er)
