pca_logo

Resources

Stay up to date with the latest PCAutomotive news and events, explore our webinars, and study our expert research.
We highlight the most important and valuable trends in the automotive security industry

2024-07-11

Multiple vulnerabilities in Enel X JuiceBox (Waybox) Pro & Plus 3.0 charger

Product description

Enel X JuiceBox (Waybox) Pro and Plus 3.0 22 KW Cellular is an electric vehicle charger intended for use in both private and residential environments.

EV Charger appearance

The charger includes a web manager interface accessible through either Wi-Fi or a wired Ethernet. An Ethernet port is located under the charger's front panel.

JuiceBox Web Manager application

The default password for user-level access to the JuiceBox web manager is provided in the installation manual document published on the official Enel X Way web site .

Additionally, the charger is equipped with an LTE modem for communication with the vendor's backend featuring RFID authentication. Finally, it supports user identification by RFID cards, thus restricting access to the charging function.

SUMMARY

PCAutomotive identified multiple vulnerabilities that could allow a potential attacker to obtain the highest privileges in the Enel X JuiceBox (Waybox) Pro and Plus 3.0 charger operating system. In this level of access, an attacker could gain access to sensitive data stored on the charger, bypass charging restrictions set by the device owner, cause a denial of service on the charger, modify the firmware. The vulnerabilities are applicable to charger firmware version before 2.1.1.0_JB3VU096A.

 
CVE ID Title CVSS Score
CVE-2023-29114 System logs disclosure 5.7 (Medium)
CVE-2023-29115 Denial of service via web management interface 6.5 (High)
CVE-2023-29116 PHP information disclosure 4.3 (Medium)
CVE-2023-29117 Authentication bypass in JuiceBox Web Manager 8.8 (Critical)
CVE-2023-29118 Unauthorized SQLite injection #1 9.6 (Critical)
CVE-2023-29119 Unauthorized SQLite injection #2 9.6 (Critical)
CVE-2023-29120 Unauthorized remote command execution 9.6 (Critical)
CVE-2023-29121 Exposed TCF agent service 9.6 (Critical)
CVE-2023-29122 Incorrect file ownership of privileged service's libraries 6.7 (Medium)
CVE-2023-29125 Heap overflow in CM_main.exe binary 9.0 (Critical)
CVE-2023-29126 Insecure loose comparison 4.2 (Medium)

 

DISCLOSURE TIMELINE

 
Date Description
2023-03-16 Advisory sent to cert@enel.com
2023-04-01 Enel X informs PCAutomotive that the analyzed firmware JB3VUEV02c is outdated. Enel X performs firmware update of the charger to version 1.1.3.5_JB3VU093
2023-04 PCAutomotive performs verification of findings on version 1.1.3.5_JB3VU093
2023-04-28 PCAutomotive reports retest results to Enel X. PCAutomotive informs Enel X that vulnerabilities are present in 1.1.3.5_JB3VU093.
2023-12 According to Enel X indications, the fixes have been released starting from version 2.1.1.0_JB3VU096A on new installations
2024-06-17 Enel X releases security advisory to charger owners

 

TECHNICAL DETAILS

CVE-2023-29114: System logs disclosure

Description

An attacker with regular user privileges in the web management application can obtain system logs due to a lack of access control. These logs expose sensitive information that can be used for further attack development.

Exploitation scenario and impact

JuiceBox web management panel is accessible on port 80 after connection to the EV charger via Wi-Fi network. Regular users of this web application can retrieve system logs containing sensitive information, such as plaintext credentials and configuration properties.

To trigger the vulnerability, it is required to send an HTTP GET request to the path /admin/log.php with empty parameter download :

An example of retrieving sensitive information from log.php

An attacker can obtain the following sensitive information:

  • Wi-Fi access point credentials to which the EV charger can connect.
  • APN web address and credentials.
  • IPSEC credentials.
  • Web interface access credentials for user and admin accounts.
  • JuiceBox system components (software installed, model, firmware version, etc.).
  • C2G configuration details.
  • Internal IP addresses.
  • OTA firmware update configurations (DNS servers).

All the credentials are stored in logs in an unencrypted plaintext format. Unauthorized access to these data could be exploited by an intruder to gain privileged entry to the control panel and other endpoints, facilitating the development of subsequent attacks.

CVE-2023-29115: Denial of service via web management interface

Description

Juicebox Enel X is vulnerable to denial-of-service through the web management interface. This type of attack allows unauthorized attackers with network visibility of the charger to cause denial-of-service (  reboot  ) via a direct GET request without any access control restrictions.

Exploitation scenario and impact

The following request  GET /admin/reboot.php  carries out a reboot action of the Juicebox device:

Example of forcing a device reboot

It takes two to three minutes for the system to become available after each reboot cycle.

CVE-2023-29116: PHP information disclosure

Description

The  phpinfo.php  script in the JuiceBox web manager application allows remote attackers to obtain sensitive information such as the full web root path, OS version, and server configuration details by calling the  phpinfo()  function.

Exploitation scenario and impact

Exploitation is possible by HTTP GET request to the  admin/phpinfo.php  scenario,  which is available for a remote attacker without any authentication.

Result of calling the phpinfo() function

An attacker can obtain sensitive information such as:

  • The exact PHP version.
  • Exact OS and its version.
  • Details of the PHP configuration.
  • PHP compilation options.
  • PHP extensions.
  • Internal IP addresses.
  • Server environment variables.
  • Loaded PHP extensions and their configurations.
  • HTTP headers.

This information helps a would-be malefactor to further develop the attack.

CVE-2023-29117: Authentication bypass in JuiceBox Web Manager

Description

The JuiceBox web manager application has an API that can be used for arbitrary database modification due to a lack of access controls. An unauthorized attacker can exploit this vulnerability to bypass authentication and get administrator's privileges to access and control the JuiceBox system or disrupt service.

Exploitation scenario and impact

An unauthorized attacker can exploit the vulnerability by sending a GET request to the scenario /api/command.php with action parameter specified to set_param . This request modifies the application database in accordance with GET parameters param and value . To bypass authentication malefactor can set the adminPasswordVisible property to True .

Changing visibility settings for administrator's password

As a result, the plaintext value of the admin user password will be shown below the authentication form on the index page:

Publicly accessible value of administrator's password

By exploiting this vulnerability, attackers can:

  • Maintain control over all sensitive information, including plaintext credentials and settings for Wi-Fi, SIM, IPSEC, charger system, charge point and a central management system (defined in OCPP standard as CP and CM), Charger-to-Grid (C2G) .
  • Read and modify all the current charger registers in the system.
  • Upload malicious or out-of-date firmware.
  • Control charger operation by causing charger reboot or stopping charging process.
  • Obtain access to all system log files.
  • Add arbitrary RFID cards to the charging whitelist.

Privileged access to the control panel

CVE-2023-29118: Unauthorized SQLite injection #1

CVE-2023-29119: Unauthorized SQLite injection #2

Description

JuiceBox web manager application is vulnerable to SQL injection vulnerabilities. The application does not validate user input properly. It allows an unauthorized attacker to conduct an attack aimed at the SQLite request logic change by means of SQL Injection. The vulnerable URIs are:

  • /admin/versions.php  , the vulnerable parameters are the POST parameters  name  and  value  .
  • /admin/dbstore.php  , the vulnerable parameters are the POST parameters  address  and  value

Exploitation scenario and impact

The following requests can be used to modify an arbitrary table of the database:

Example of SQL Injection exploitation via value parameter

Example of SQL Injection exploitation via address parameter

As a result, an attacker can run arbitrary requests to the database, modify data and develop an attack on the server.

CVE-2023-29120: Unauthorized remote command execution

Description

JuiceBox web manager application is vulnerable to RCE vulnerability. The application does not validate user input properly. It allows an attacker to conduct an attack aimed at the injection of arbitrary OS commands. The vulnerable URI is /api/command.php , the vulnerable parameters are the POST parameters ssid and passkey .

Exploitation scenario and impact

The following request can be used to call a ping process on target server:

Example of OS command execution via ssid parameter

Consequently, an attacker can execute arbitrary OS commands under the  daemon  account, as well as obtain  root  access to the OS after privilege escalation described in  CVE-2023-29122  .

CVE-2023-29121: Exposed TCF agent service

Description

JuiceBox Enel X has the Target Communication Framework (TCF) service enabled as an Eclipse debug interface. Through this service, an attacker can debug processes, modify files system, and gain access to the terminal as a  root  user by simply connecting to charger's TCP port 1534:

Open TCP port on EV charger host

Access to the TCF service via netcat utility

Exploitation scenario and impact

Through the utilization of the Eclipse TCF plugin, an adversary can gain access to the Linux file system on the charger, allowing, for instance, the retrieval of contents from the shadow file.

This attack allows unauthorized attackers to gain  root  privileges on the affected model which results in the execution of arbitrary OS commands and obtaining full control of the target system.

CVE-2023-29122: Incorrect file ownership of privileged service's libraries

Description

The system assigns user/group ownership of the  /runtime/lib/  directory tree to the web-service user account  daemon  , which allows privilege escalation when the files in the target directory are executed by  root  -owned processes.

Service  CM_main.exe  has  root  privileges and uses libraries that are stored in subfolder /  runtime/lib/  . These libraries are owned by the  daemon  user:

Daemon user ownership of libraries

Exploitation scenario and impact

If a malicious user has the privileges of a  daemon  user on the device, they can overwrite the library files. After the  CM_main.exe  service restarts, the attacker will be able to execute arbitrary OS commands with the privileges of the  root  user.

CVE-2023-29125: Heap overflow in CM_main.exe binary

Description

An attacker can trigger a heap buffer overflow in the  CM_main.exe  binary by manipulating input values ​​​​so that the body of the request would be larger than pre-defined buffer of fixed length:

Definition of size of headers

Exploitation scenario and impact

CM_main.exe  binary uses the socket service that handles requests on TCP port 7700. Each request consists of two parts: a header and a body.

The header contains the field of  short int  type which is used as the length of the body. This length is not checked in any place in the code. The buffer for the body has a fixed length of 0x2000. Thus, an attacker can send the body that will have a length greater than 0x2000 and get a heap buffer overflow.

CVE-2023-29126: Insecure loose comparison

Description

In JuiceBox's web manager application, the  index.php  page contains a PHP-type juggling vulnerability that allows attackers to speed up the brute force process and, under some conditions, bypass authentication.

Exploitation scenario and impact

The default password of a user account is 000000, Providing only 0 in the password field will allow the attacker to log in since 0 and 000000 are being compared using the loose comparison operator, so the values​​​​will be converted to the same data type. Another example of incorrect comparison implementation is that 0 will be equal to 0e1234. As a result, an attacker can gain access to the user panel and do the following actions:

  • Adjust connection type to SIM or Wi-Fi.
  • Control the parameters Plug & charge and max charging current value.
  • Add different unauthorized RFID cards to the whitelist.
  • Maintain C2G configuration.

User access to the JuiceBox Web Manager

CREDITS

Abdellah Benotsmane

Anna Breeva

Artem Ivachev

Danila Parnishchev