Carel pCOWeb HVAC Insecure Credential Storage

The Carel pCOWeb card stores password hashes in the file /etc/passwd, allowing privilege escalation by authenticated users. Additionally, plaintext copies of the passwords are stored. Version A 1.4.11 - B 1.4.2 is affected.

MD5 | adcd6976fc3af3a31111c9cc0175dc80

Advisory: Unsafe Storage of Credentials in Carel pCOWeb HVAC

The Carel pCOWeb card stores password hashes in the file "/etc/passwd",
allowing privilege escalation by authenticated users. Additionally,
plaintext copies of the passwords are stored.


Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface
Affected Versions: "A 1.4.11 - B 1.4.2", possibly others
Fixed Versions: product obsolete
Vulnerability Type: Credential Disclosure / Privilege Escalation
Security Risk: low
Vendor URL:
Vendor Status: notified / product obsolete
Advisory URL:
Advisory Status: published


"The pCOWeb card is used to interface the pCO Sistema to networks that
use the HVAC protocols based on the Ethernet physical standard, such as
BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated
Web-Server, which both contains the HTML pages relating to the specific
application and allows a browser to be used for remote system
(from the vendor's homepage)

It is used as an OEM module in several different HVAC systems and
considered obsolete by the vendor.

More Details

The Carel pCOWeb interface provides user accounts with different levels
of privileges. Despite the different privileges, other users, even the
user nobody, are able to read the file "/etc/passwd" which contains the
hashed passwords for all user accounts, especially those with more
privileges. Additionally, a plaintext copy of all passwords is stored in
the file /usr/local/root/flash/etc/sysconfig/userspwd, which is
accessible from the web interface at the URL
This allows attackers with knowledge of one user account password to
gain knowledge of the other accounts passwords, possibly gaining more

Proof of Concept

Apart from a web interface, the Carel pCOWeb card provides a telnet
interface accessible using a variety of default passwords and, in some
cases, the user "nobody" without password:

$ telnet
Connected to
Escape character is '^]'.

Linux 2.4.21-rmk1 (pCOWeb) (ttya0)

pCOWeb login: nobody
No directory /var/lib/nobody!
Logging in with home = "/".
Executing profile
[nobody@pCOWeb13:58:55 /]$ ls -la /etc/passwd
-rw-r--r-- 1 root root 317 Jan 1 00:00 /etc/passwd
[nobody@pCOWeb13:59:00 /]$ cat /etc/passwd
http::48:48:HTTP users:/usr/http/root:/bin/bash
[nobody@pCOWeb13:59:32 /]$ cat /usr/local/root/admin/.htpasswd
[nobody@pCOWeb13:59:33 /]$

The following table lists the cleartext passwords for above
password hashes:

username | password
root | froot
httpadmin | fhttpadm
carel | fcarel
guest | fguest
nobody | (none)
admin | fadmin

The passwords for the useraccounts "root", "httpadmin", "carel" and
"guest" are documented in section 9.7.2 of the user manual [0], warning

"it is important to set a password other than the default "froot" to
prevent potentially dangerous outside access."

It is possible that these default credentials are covered in
CVE-2019-13553. Depending on firmware version and/or OEM modifications,
some versions additionally allow Telnet login without password with the
username "nobody" while it is disabled for other versions.

The password for the web interface user "admin" is documented in section
9.2.1 of the user manual [0].

Additionally, some versions were seen with additional user credentials
stored in the directory provided for OEM modifications of the web
interface, such as the username "reserved" with the password "freserve"
in "/usr/local/root/flash/http/reserved/.htpasswd".
Storing some of these passwords in plaintext is covered in

However, while the above passwords are stored in hashed form, the web
interface at shows them in
plaintext. A file containing the plaintext passwords can be found in the

[root@pCOWeb14:02:14 /]# cat /usr/local/root/flash/etc/sysconfig/userspwd


Change all default passwords listed above and ensure the user "nobody"
is disabled or has a password set.
The Carel pCOWeb card should not be connected to networks accessible by
untrusted users (compare advisory rt-sa-2019-014[1]).


No updated firmware will be published for pCOWeb Cards, as they are
obsolete since Dec 2017. A successor hardware with current firmware is
available for OEM integrators.

Security Risk

Attackers with knowledge of one set of user credentials to a Carel
pCOWeb card could use the password hashes accessible to all users in
"/etc/passwd" or the plaintext copies of the passwords to gain
different privileges. Due to the necessity of access to credentials,
this is considered to pose a low risk only.


2019-07-17 Vulnerability identified
2019-08-03 Customer approved disclosure to vendor
2019-09-02 Vendor notified
2019-09-09 Vendor did not respond as promised
2019-09-17 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-10-28 Advisory published due to publication of CVE-2019-13553



RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:

RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

Related Posts