Wilco van Beijnum
Security researcher
CSIRT cases
CVE Records
- Mennekes smart/premium charges systems, SQL Injection in web configuration interface
- Mennekes smart/premium charges systems, Arbitrary file download using ReadFile endpoint
- Mennekes smart/premium charges systems, Command injection in sCU firmware update
- Mennekes smart/premium charges systems, Command injection in time setting
- Mennekes smart/premium charges systems, Command injection in firmware upgrade
Show more Show less
- Buffer overflow vulnerabilities in CGI scripts lead to segfault
- Authenticated arbitrary file upload to /tmp/ and /tmp/upload/
- Buffer overflow in <redacted>.so leads to DoS of OCPP service
- Arbitrary file download using <redacted>.sh
- Plaintext default credentials in firmware
- Using the <redacted> action or <redacted>.sh script, arbitrary files and directories can be deleted using directory traversal.
- When uploading new firmware, a shell script inside a firmware file is executed during its processing. This can be used to craft a custom firmware file with a custom script with arbitrary code, which will then be executed on the charging station.
- A backup can be manipulated and then restored to create arbitrary files inside the <redacted> directory. A CGI script can be added to the web directory this way, allowing for full remote code execution.
- Any authenticated users can execute OS commands as root using the <redacted>.sh CGI script.
- Authenticated command injection in the <redacted> action leads to full remote code execution as root on the charging station
- Authenticated command injection in the <redacted> action leads to full remote code execution as root on the charging station
- Authenticated command injection in the <redacted> action leads to full remote code execution as root on the charging station
- Authenticated command injection in the <redacted> action leads to full remote code execution as root on the charging station
- Authenticated command injection in the <redacted> action leads to full remote code execution as root on the charging station
- Authenticated command injection via <redacted>.exe <redacted> parameter
- Authenticated command injection via <redacted>.exe <redacted> parameter