KACO Power Inverter System XP100U Based on dog Wang Embedded analysis
0x00 Preface
First of all, I would like to thank Bing Ge for his guidance and encouragement. currently, smart Iot devices are booming. Many merchants and developers only provide quick graph functions, while ignoring the corresponding security solutions. at the same time, many traditional industrial equipment, due to the addition of network modules, lack of security awareness, resulting in these devices are exposed to the public network. this opens the door for attackers. this article will take the power inverter system produced by KACO new energy company as an example to share with you how unsafe design will affect the industrial control system.
KACO New Energy Company is located in Germany, focusing on the production and design of power-related industrial control systems. it is said that its customers are all over the world. however, on DEFCON 23 in 2015, a backdoor exists in the XP100U product of the power inverter system.
During the study, we can find that the problem of this product is not just that. Next, let's take a tour of industrial control equipment.
0x01 backdoor of the classic system
KACO's power inverter system comes with a small WEB Service written in Java for remote login to monitor various data indicators.
We can learn from the operation manual that the system has a default password ksk12. after successful login, we can perform a series of data collection and other operations.
After viewing the Page code, we can find a file named wms. jar. here we can use JAVA decompile software to view its source code.
Simply search for the password keyword, we can easily find the backdoor password "kacosolar2008" under WMSSettings ".
Interestingly, the password cannot be modified since then. As shown in the following code, the entire backdoor authentication process is simply compared with the AdminPassword set in WMSSettings locally.
It's so easy and pleasant to look at the whole backdoor restoration process, but it's even more interesting...
0x02 anti-leech Design
After learning about the backdoor account of the classic backdoor system above. through Wireshark packet capture analysis, we can also find an interesting authentication design for this system. we have mentioned that the default password is ksk12. under normal circumstances, you can change it to a custom password, and the entire process is transmitted in plaintext. yes, we can get the password through simple sniffing. but what's special? Don't worry about the drama .....
Here we will first look at the entire login process. after we press the Login key, the first package sent by the client contains the words "aci_request_code type = 'int'> 31 <. so what does 31 mean?
By looking for the Java source code, we know that type 31 is used to get the current password from the server. That is to say, each authentication, the system will send the current password back in plaintext...
The most incredible thing is that even if you enter an incorrect password, an error box appears, but the system still returns the correct password in plaintext. Haha! In other words, we don't need to worry about Reverse source code. The system has already told the world the password.
0x03 hunt for XP100U
After talking about so many things, you can't wait to find a KACO server to try it out. here we can use the search engine to help complete this task. as shown in SHODAN, we can easily find several KACO inverters exposed to the public network.
Note that the default port number of the system is 80. You can try several common ports during the test.
Interestingly, there is still a network monitor system in a KACO power inverter website (thanks to Z-One for providing clues ). if you are interested, you can continue to explore it in depth. but do not destroy it.: D
0x04 Summary
Through this case, we can find that there are very few vulnerabilities in traditional system security. such as HTTP plaintext transmission, default passwords, system backdoors, and so on are still very common in Industrial Control embedded systems. however, the hidden risks are enormous. embedded systems often face the difficulty of upgrading once they are put into the product line. maybe product designers should find a balance point in the usability vs security at the initial stage. however, for security enthusiasts themselves, industrial control embedded is a very interesting and profound field. we look forward to seeing more things.