Thursday, July 28, 2016

mySCADAPro v7 Local Privilege Escalation

mySCADAPro v7 Local Privilege Escalation

Reporting a vulnerability in mySCADAPro version 7 (current version).

Vendor: mySCADA Technologies s.r.o. 
Product web page: 
Affected application: myscadaPro 
Affected version: v7 (Current version)


myPRO is a professional HMI/SCADA system designed primarily for the visualisation and control of industrial processes. myPRO is effective and innovative solution for any industry, that needs to be under non-stop operation. myPRO guarantees reliable supervision, user-friendly interface and superior security.

Vulnerability Description: 

myscadaPro7 application installs seven (8) services. All these services run as LocalSystem by default, and suffer from an unquoted search path issue. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. 

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application.

Tested on: 
Microsoft Windows Vista Ultimate SP2 (EN)


The following services have insecurely quoted paths:

1. Bonjour Service (Bonjour Service) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mDNSResponder.exe:

2. myalerting (myalerting) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myalerting.exe\" -c \"C:\ProgramData\mySCADA\myscada.conf\" -m \"C:\ProgramData\mySCADA\msmtp.conf\" -s \"C:\ProgramData\mySCADA\sms.conf\" ":

3. myscadacom (myscadacom) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadacom.exe\" -c \"C:\ProgramData\mySCADA\myscada.conf\" ":

4. myscadadb (myscadadb) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadadb.exe\" -c \"C:\ProgramData\mySCADA\myscada.conf\" ":

5. myscadagate (myscadagate) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadagate.exe\" -f \"C:\ProgramData\mySCADA\myscada.conf\" ":

6. myscadahmi (myscadahmi) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadahmi.exe\" -p \"C:\Program Files\mySCADA\" -c \"conf\hmi.conf\" ":

7. myscadalog (myscadalog) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\myscadalog.exe\" -c \"C:\ProgramData\mySCADA\myscada.conf\" ":

8. myscadascr (myscadascr) runs as LocalSystem and has path: C:\Program Files\mySCADA\bin\mySCADAservice.exe "\"C:\Program Files\mySCADA\bin\node.exe\" \"C:\Program Files\mySCADA\bin\scripts\scripts.js\" -c \"C:\ProgramData\mySCADA\myscada.conf\" -a 1 ":


Wednesday, July 6, 2016

RS232-NET Converter (model JTC-200) - Multiple vulnerabilities

RS232-NET Converter (model JTC-200) - Multiple vulnerabilities

About RS232-NET Converter (model JTC-200) 

Seen deployed in:
  • CHTD, Chunghwa Telecom Co., Ltd. (Taiwan) 
  • HiNet (Taiwan & China)
  • PT Comunicacoes (Portugal)
  • Sony Network Taiwan Limited (Taiwan) 
  • Vodafone Portugal (Portugal)

1. Weak Credential Management
The RS232-NET Converter (model JTC-200) web administration interface uses non-random default credentials of admin:1234. The application does not enforce a mandatory password change. A network-based attacker can gain privileged access to a vulnerable device's web management interfaces or leverage default credentials in remote attacks such as cross-site request forgery.

2. Unauthenticated access over Telnet (Backdoor shell)
The RS232-NET Converter (model JTC-200) provides (undocumented) Busybox linux shell over Telnet service - without any authentication. This backdoor shell therefore gives direct access to the internal network, over the Internet.

Trying IP...
Connected to IP. 
Escape character is '^]'. 

BusyBox v0.60.4 (2008.02.21-16:59+0000) Built-in shell (msh) 
Enter 'help' for a list of built-in commands. 


BusyBox v0.60.4 (2008.02.21-16:59+0000) multi-call binary 
Usage: busybox [function] [arguments]... 
or: [function] [arguments]... 

BusyBox is a multi-call binary that combines many common Unix  utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as.

Currently defined functions: 
[, busybox, cat, cp, df, hostname, ifconfig, init, kill, killall, ls, mkdir, mknod, mount, msh, mv, ping, ps, pwd, rm, sh, test, touch, vi


# ls
bin dev etc nfs proc swap usb var
# cd etc
# ls
ConfigPage WRConfig.ini config inetd.conf inittab ppp protocols rc resolv.conf services 

# cat inetd.conf 
telnet stream tcpnowait root /bin/telnetd 

Busybox shell offers pretty restricted set of allowed functions but it is still possible to perform enumeration.

192.168.5.x -> real ip

# for i in `cat ip-list`; do ping 192.168.5.$i; done is alive! 
No response from 
No response from is alive! is alive! 

3. Cross-Site Request Forgery (CSRF)
The RS232-NET Converter (model JTC-200) contains a global CSRF vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that in combination with default credentials, an attacker can establish an active session as part of an attack and therefore would not require a victim to be logged in. 


CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities

CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities

DocuClass is a modular and scalable enterprise content management (ECM) solution that allows organizations to streamline internal operations by significantly improving the way they manage their information within a business process. 

Remote Exploitation, no authentication required

Vendor Response: None

Vulnerability Findings

1. SQL Injection

DocuClass web application contains a SQL injection vulnerability.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

DocuClass web application contains a SQL injection vulnerability due to the application failing to validate user input. Multiple parameters are vulnerable.

Vulnerable URLs & parameters:

A: POST request
/dcrpcserver.php [parameter - uid]
Parameter: uid (POST)
    Type: boolean-based blind
    Title: PostgreSQL boolean-based blind - Parameter replace
    Payload: cmd=searchform&action=getsavedqueries&node=&uid=(SELECT (CASE WHEN (7877=7877) THEN 7877 ELSE 1/(SELECT 0) END))
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: Microsoft SQL Server 2008

B: GET request
/e-forms/dcformsserver.exe?action=createimagepdf&documentid=1408648&userid=755 [parameter - userid]

An unauthenticated attacker can read or modify data in the application database, execute code, and compromise the host system.

2. Access Control Flaws

DocuClass web application does not enforce strict access control.


Dump all the documents with a bit of scripting.

An unauthenticated user can access all stored documents by directly calling the document url.

3. Cross-Site Scripting

DocuClass web application lacks strong input validation, and multiple urls & parameters are vulnerable to cross-site scripting (CWE-79) attacks.
/e-forms/dcformsserver.exe [action parameter]
/e-forms/dcformsserver.exe [documentid parameter]
/e-forms/dcformsserver.exe [userid parameter]
/reports_server.php [cmd parameter]
/reports_server.php [reportid parameter]
/reports_server.php [uid parameter]

An attacker may be able to execute arbitrary scripts/code in the context of the user's browser.

4. Vulnerable to Cross-Site Request Forgery

The application does not have a CSRF Token generated per page and / or per (sensitive) function. 

Successful exploitation of this vulnerability can allow silent execution of unauthorized actions in the application such as configuration changes, potentially deleting stored documents, running reports, changing passwords, filling disk space via repeated duplicate copying of documents, etc.


Friday, July 1, 2016

[ICS] ICS-ALERT-16-182-01 published - Sierra Wireless Raven XE & XT vulnerabilities

Couple of days back, I posted multiple vulnerabilities in Sierra Wireless Raven XE & XT devices on Full Disclosure list, and here:

ICS-CERT team confirmed yesterday they have released an alert on this report as well now:

No CVE-IDs have been allocated for these (yet) though.


Exploit Exercises - nebula level14

Exploit Exercises - nebula level14

flag14 simply reorders the characters:

Decrypt script found at the website below, it has a lot of informative posts there as well. Check it out:

import sys
result = ""
pos = 0
with open(sys.argv[1], "r") as f:
  for c in[:-1]:
   result += chr(ord(c) - pos)
   pos += 1
print result


Exploit Exercises - nebula level13

Exploit Exercises - nebula level13

The program expects a UID 1000.

Let's debug it in gdb. Put a breakpoint at main() so we can analyze the program flow first.

The program will compare the UID of the user who is running flag13 (1014) with the UID it expects (1000). This is done by CMP call at main+48 - address 0x80484f4.

Put a breakpoint at CMP & continue till the breakpoint is hit.

At this point, we find that UID value (1014) is stored in $eax register. We can change the value to UID 1000, so when CMP call is executed next, UIDs will match, and we will get the token.

Log in as flag13 using the token value and getflag.



The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.