CVE-2022-34753
published 2022-07-13CVE-2022-34753: A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit…
PriorityP189high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
71.08%
99.3th percentile
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products: SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior)
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| schneider-electric | spacelogic_c-bus_home_controller_firmware | <= 1.31.460 | — |
| schneider_electric | spacelogic_c-bus_home_controller | >= 5200WHC2 < V1.31.460 | V1.31.460 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Attempted Schneider Electric SpaceLogic C-Bus Home Controller 5200WHC2 Remote Code Execution (CVE-2022-34753)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/delsnap.pl|3f 7c|"; fast_pattern; startswith; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:url,www.exploit-db.com/exploits/50987; classtype:attempted-admin; sid:2038665; rev:2; metadata:attack_target IoT, created_at 2022_08_29, cve CVE_2022_34753, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_26, reviewed_at 2024_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
/delsnap.pl|3f 7c|
- →The injection point is the `name` CGI parameter of `/delsnap.pl`. A pipe character (`|`) is prepended to the attacker-supplied OS command to achieve injection (e.g., `?name=|id`). ↗
- →Successful exploitation returns command output in the HTTP response body with HTTP 200; look for `uid=0(root) gid=0(root)` in responses to GET requests targeting `/delsnap.pl`. ↗
- →Shodan/FOFA fingerprinting: devices exposing `SpaceLogic C-Bus` or `spacelogic c-bus` in HTML body are the target attack surface.
- →The exploit requires HTTP Basic Authentication credentials; monitor for authenticated GET requests to `/delsnap.pl` containing a pipe (`|`) in the `name` parameter.
- →The Emerging Threats Snort rule (SID 2038665) specifically flags absence of a `Referer` header combined with a GET to `/delsnap.pl?` followed by a pipe (`|`, hex `7c`) as a strong exploit indicator.
- ·The exploit requires valid HTTP Basic Authentication credentials for the device; unauthenticated exploitation is not demonstrated in the public PoC, though the CVSS score (PR:L) reflects low-privilege access is sufficient. ↗
- ·The vulnerability affects SpaceLogic C-Bus Home Controller (5200WHC2) firmware V1.31.460 and prior only; the underlying OS is Linux 2.6.37 on ARMv7 (OMAP3), so network signatures should be scoped to IoT/embedded device segments. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mx84-3frj-x7gc: A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root
ghsa_unreviewed·2022-07-14
CVE-2022-34753 [HIGH] CWE-78 GHSA-mx84-3frj-x7gc: A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products: SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior)
VulnCheck
Schneider Electric spacelogic_c-bus_home_controller_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 8.8
CVE-2022-34753 [HIGH] Schneider Electric spacelogic_c-bus_home_controller_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Schneider Electric spacelogic_c-bus_home_controller_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote root exploit when the command is compromised. Affected Products: SpaceLogic C-Bus Home Controller (5200WHC2), formerly known as C-Bus Wiser Homer Controller MK2 (V1.31.460 and prior)
Affected: Schneider Electric spacelogic_c-bus_home_controller_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerab
Suricata
ET EXPLOIT Attempted Schneider Electric SpaceLogic C-Bus Home Controller 5200WHC2 Remote Code Execution (CVE-2022-34753)
suricata·2022-08-29·CVSS 8.8
CVE-2022-34753 [HIGH] ET EXPLOIT Attempted Schneider Electric SpaceLogic C-Bus Home Controller 5200WHC2 Remote Code Execution (CVE-2022-34753)
ET EXPLOIT Attempted Schneider Electric SpaceLogic C-Bus Home Controller 5200WHC2 Remote Code Execution (CVE-2022-34753)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Attempted Schneider Electric SpaceLogic C-Bus Home Controller 5200WHC2 Remote Code Execution (CVE-2022-34753)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/delsnap.pl|3f 7c|"; fast_pattern; startswith; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:url,www.exploit-db.com/exploits/50987; classtype:attempted-admin; sid:2038665; rev:2; metadata:attack_target IoT, created_at 2022_08_29, cve CVE_2022_34753, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_26
Exploit-DB
Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution
exploitdb·2022-07-29
Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution
Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution
---
# Exploit Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution
# Exploit Author: LiquidWorm
param('name');
20: if ($name eq "list") {
21: print "\r\n\r\n";
22: print "DATA=";
23: print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;
24: exit(0);
25: }
26: if ($name eq "deleteall") {
27: print "\r\n\r\n";
28: print "DELETINGALL=TRUE&";
29: print `rm /mnt/microsd/clipsal/ugen/imgs/*`;
30: print "COMPLETED=true\n";
31: exit(0);
32: }
33: #print "name $name\n";
34: print "\r\n\r\n";
35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";
36:
37: unlink $filename or die "COMPLETED=false\n";
38:
39: print "COMPLETED=true\n";
Tested on: Machine: OMAP3 Wiser2 Board
Nuclei
SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution
nuclei·CVSS 8.8
CVE-2022-34753 [HIGH] SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution
SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution
SpaceLogic C-Bus Home Controller through 1.31.460 is susceptible to remote command execution via improper neutralization of special elements. Remote root exploit can be enabled when the command is compromised, and an attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control without entering necessary credentials.
Template:
id: CVE-2022-34753
info:
name: SpaceLogic C-Bus Home Controller <=1.31.460 - Remote Command Execution
author: gy741
severity: high
description: |
SpaceLogic C-Bus Home Controller through 1.31.460 is susceptible to remote command execution via improper neutralization of special elements. Remote root exploit can be enabled when the command is compr
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167783/Schneider-Electric-SpaceLogic-C-Bus-Home-Controller-5200WHC2-Remote-Root.htmlhttps://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdfhttp://packetstormsecurity.com/files/167783/Schneider-Electric-SpaceLogic-C-Bus-Home-Controller-5200WHC2-Remote-Root.htmlhttps://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
2022-07-13
Published
Exploited in the wild