Resources
Stay up to date with the latest PCAutomotive news and events, explore our webinars, and study our expert research.
We highlight the most important and valuable trends in the automotive security industry
2024-07-11
Multiple vulnerabilities in Enel X JuiceBox (Waybox) Pro & Plus 3.0 charger
Product description
Enel X JuiceBox (Waybox) Pro and Plus 3.0 22 KW Cellular is an electric vehicle charger intended for use in both private and residential environments.
EV Charger appearance
The charger includes a web manager interface accessible through either Wi-Fi or a wired Ethernet. An Ethernet port is located under the charger's front panel.
JuiceBox Web Manager application
The default password for user-level access to the JuiceBox web manager is provided in the installation manual document published on the official Enel X Way web site .
Additionally, the charger is equipped with an LTE modem for communication with the vendor's backend featuring RFID authentication. Finally, it supports user identification by RFID cards, thus restricting access to the charging function.
SUMMARY
PCAutomotive identified multiple vulnerabilities that could allow a potential attacker to obtain the highest privileges in the Enel X JuiceBox (Waybox) Pro and Plus 3.0 charger operating system. In this level of access, an attacker could gain access to sensitive data stored on the charger, bypass charging restrictions set by the device owner, cause a denial of service on the charger, modify the firmware. The vulnerabilities are applicable to charger firmware version before 2.1.1.0_JB3VU096A.
CVE ID | Title | CVSS Score |
---|---|---|
CVE-2023-29114 | System logs disclosure | 5.7 (Medium) |
CVE-2023-29115 | Denial of service via web management interface | 6.5 (High) |
CVE-2023-29116 | PHP information disclosure | 4.3 (Medium) |
CVE-2023-29117 | Authentication bypass in JuiceBox Web Manager | 8.8 (Critical) |
CVE-2023-29118 | Unauthorized SQLite injection #1 | 9.6 (Critical) |
CVE-2023-29119 | Unauthorized SQLite injection #2 | 9.6 (Critical) |
CVE-2023-29120 | Unauthorized remote command execution | 9.6 (Critical) |
CVE-2023-29121 | Exposed TCF agent service | 9.6 (Critical) |
CVE-2023-29122 | Incorrect file ownership of privileged service's libraries | 6.7 (Medium) |
CVE-2023-29125 | Heap overflow in CM_main.exe binary | 9.0 (Critical) |
CVE-2023-29126 | Insecure loose comparison | 4.2 (Medium) |
DISCLOSURE TIMELINE
Date | Description |
---|---|
2023-03-16 | Advisory sent to cert@enel.com |
2023-04-01 | Enel X informs PCAutomotive that the analyzed firmware JB3VUEV02c is outdated. Enel X performs firmware update of the charger to version 1.1.3.5_JB3VU093 |
2023-04 | PCAutomotive performs verification of findings on version 1.1.3.5_JB3VU093 |
2023-04-28 | PCAutomotive reports retest results to Enel X. PCAutomotive informs Enel X that vulnerabilities are present in 1.1.3.5_JB3VU093. |
2023-12 | According to Enel X indications, the fixes have been released starting from version 2.1.1.0_JB3VU096A on new installations |
2024-06-17 | Enel X releases security advisory to charger owners |
TECHNICAL DETAILS
CVE-2023-29114: System logs disclosure
Description
An attacker with regular user privileges in the web management application can obtain system logs due to a lack of access control. These logs expose sensitive information that can be used for further attack development.
Exploitation scenario and impact
JuiceBox web management panel is accessible on port 80 after connection to the EV charger via Wi-Fi network. Regular users of this web application can retrieve system logs containing sensitive information, such as plaintext credentials and configuration properties.
To trigger the vulnerability, it is required to send an HTTP GET request to the path /admin/log.php with empty parameter download :
An example of retrieving sensitive information from log.php
An attacker can obtain the following sensitive information:
- Wi-Fi access point credentials to which the EV charger can connect.
- APN web address and credentials.
- IPSEC credentials.
- Web interface access credentials for user and admin accounts.
- JuiceBox system components (software installed, model, firmware version, etc.).
- C2G configuration details.
- Internal IP addresses.
- OTA firmware update configurations (DNS servers).
All the credentials are stored in logs in an unencrypted plaintext format. Unauthorized access to these data could be exploited by an intruder to gain privileged entry to the control panel and other endpoints, facilitating the development of subsequent attacks.
CVE-2023-29115: Denial of service via web management interface
Description
Juicebox Enel X is vulnerable to denial-of-service through the web management interface. This type of attack allows unauthorized attackers with network visibility of the charger to cause denial-of-service ( reboot ) via a direct GET request without any access control restrictions.
Exploitation scenario and impact
The following request GET /admin/reboot.php carries out a reboot action of the Juicebox device:
Example of forcing a device reboot
It takes two to three minutes for the system to become available after each reboot cycle.
CVE-2023-29116: PHP information disclosure
Description
The phpinfo.php script in the JuiceBox web manager application allows remote attackers to obtain sensitive information such as the full web root path, OS version, and server configuration details by calling the phpinfo() function.
Exploitation scenario and impact
Exploitation is possible by HTTP GET request to the admin/phpinfo.php scenario, which is available for a remote attacker without any authentication.
Result of calling the phpinfo() function
An attacker can obtain sensitive information such as:
- The exact PHP version.
- Exact OS and its version.
- Details of the PHP configuration.
- PHP compilation options.
- PHP extensions.
- Internal IP addresses.
- Server environment variables.
- Loaded PHP extensions and their configurations.
- HTTP headers.
This information helps a would-be malefactor to further develop the attack.
CVE-2023-29117: Authentication bypass in JuiceBox Web Manager
Description
The JuiceBox web manager application has an API that can be used for arbitrary database modification due to a lack of access controls. An unauthorized attacker can exploit this vulnerability to bypass authentication and get administrator's privileges to access and control the JuiceBox system or disrupt service.
Exploitation scenario and impact
An unauthorized attacker can exploit the vulnerability by sending a GET request to the scenario /api/command.php with action parameter specified to set_param . This request modifies the application database in accordance with GET parameters param and value . To bypass authentication malefactor can set the adminPasswordVisible property to True .
Changing visibility settings for administrator's password
As a result, the plaintext value of the admin user password will be shown below the authentication form on the index page:
Publicly accessible value of administrator's password
By exploiting this vulnerability, attackers can:
- Maintain control over all sensitive information, including plaintext credentials and settings for Wi-Fi, SIM, IPSEC, charger system, charge point and a central management system (defined in OCPP standard as CP and CM), Charger-to-Grid (C2G) .
- Read and modify all the current charger registers in the system.
- Upload malicious or out-of-date firmware.
- Control charger operation by causing charger reboot or stopping charging process.
- Obtain access to all system log files.
- Add arbitrary RFID cards to the charging whitelist.
Privileged access to the control panel
CVE-2023-29118: Unauthorized SQLite injection #1
CVE-2023-29119: Unauthorized SQLite injection #2
Description
JuiceBox web manager application is vulnerable to SQL injection vulnerabilities. The application does not validate user input properly. It allows an unauthorized attacker to conduct an attack aimed at the SQLite request logic change by means of SQL Injection. The vulnerable URIs are:
- /admin/versions.php , the vulnerable parameters are the POST parameters name and value .
- /admin/dbstore.php , the vulnerable parameters are the POST parameters address and value
Exploitation scenario and impact
The following requests can be used to modify an arbitrary table of the database:
Example of SQL Injection exploitation via value parameter
Example of SQL Injection exploitation via address parameter
As a result, an attacker can run arbitrary requests to the database, modify data and develop an attack on the server.
CVE-2023-29120: Unauthorized remote command execution
Description
JuiceBox web manager application is vulnerable to RCE vulnerability. The application does not validate user input properly. It allows an attacker to conduct an attack aimed at the injection of arbitrary OS commands. The vulnerable URI is /api/command.php , the vulnerable parameters are the POST parameters ssid and passkey .
Exploitation scenario and impact
The following request can be used to call a ping process on target server:
Example of OS command execution via ssid parameter
Consequently, an attacker can execute arbitrary OS commands under the daemon account, as well as obtain root access to the OS after privilege escalation described in CVE-2023-29122 .
CVE-2023-29121: Exposed TCF agent service
Description
JuiceBox Enel X has the Target Communication Framework (TCF) service enabled as an Eclipse debug interface. Through this service, an attacker can debug processes, modify files system, and gain access to the terminal as a root user by simply connecting to charger's TCP port 1534:
Open TCP port on EV charger host
Access to the TCF service via netcat utility
Exploitation scenario and impact
Through the utilization of the Eclipse TCF plugin, an adversary can gain access to the Linux file system on the charger, allowing, for instance, the retrieval of contents from the shadow file.
This attack allows unauthorized attackers to gain root privileges on the affected model which results in the execution of arbitrary OS commands and obtaining full control of the target system.
CVE-2023-29122: Incorrect file ownership of privileged service's libraries
Description
The system assigns user/group ownership of the /runtime/lib/ directory tree to the web-service user account daemon , which allows privilege escalation when the files in the target directory are executed by root -owned processes.
Service CM_main.exe has root privileges and uses libraries that are stored in subfolder / runtime/lib/ . These libraries are owned by the daemon user:
Daemon user ownership of libraries
Exploitation scenario and impact
If a malicious user has the privileges of a daemon user on the device, they can overwrite the library files. After the CM_main.exe service restarts, the attacker will be able to execute arbitrary OS commands with the privileges of the root user.
CVE-2023-29125: Heap overflow in CM_main.exe binary
Description
An attacker can trigger a heap buffer overflow in the CM_main.exe binary by manipulating input values so that the body of the request would be larger than pre-defined buffer of fixed length:
Definition of size of headers
Exploitation scenario and impact
CM_main.exe binary uses the socket service that handles requests on TCP port 7700. Each request consists of two parts: a header and a body.
The header contains the field of short int type which is used as the length of the body. This length is not checked in any place in the code. The buffer for the body has a fixed length of 0x2000. Thus, an attacker can send the body that will have a length greater than 0x2000 and get a heap buffer overflow.
CVE-2023-29126: Insecure loose comparison
Description
In JuiceBox's web manager application, the index.php page contains a PHP-type juggling vulnerability that allows attackers to speed up the brute force process and, under some conditions, bypass authentication.
Exploitation scenario and impact
The default password of a user account is 000000, Providing only 0 in the password field will allow the attacker to log in since 0 and 000000 are being compared using the loose comparison operator, so the valueswill be converted to the same data type. Another example of incorrect comparison implementation is that 0 will be equal to 0e1234. As a result, an attacker can gain access to the user panel and do the following actions:
- Adjust connection type to SIM or Wi-Fi.
- Control the parameters Plug & charge and max charging current value.
- Add different unauthorized RFID cards to the whitelist.
- Maintain C2G configuration.
User access to the JuiceBox Web Manager
CREDITS
Abdellah Benotsmane
Anna Breeva
Artem Ivachev
Danila Parnishchev