Post

Scada-LTS - Privilege escalation to RCE (CVE-2023-33472)

Vulnerability information

  • CVE-ID: CVE-2023-33472
  • Vulnerability Type: Incorrect Access Control
  • Affected Product Code Base: Scada-LTS v2.7.5.2 build 4551883606 (or previous versions)
  • Attack Type: Remote
  • Impact: Privilege escalation, command execution, arbitrary file read and write, information leakage and service unavailability.
  • Attack Vectors: To exploit the vulnerability, it is required to be authenticated with a low privilege user.

Description

A privilege escalation issue was discovered in Scada-LTS v2.7.5.2 build 4551883606 allows remote attackers, authenticated in the application as a low-privileged user to perform remote code execution (RCE) through ‘Event Handlers’ feature.

It was possible to identify that Scada-LTS has an administrative feature called Event Handlers, through which it is possible to execute actions and commands within the application server.

Knowing this point, it was identified that a low-privilege user can consume this function in an unauthorized way, thus performing command injection to exfiltrate sensitive information from the system, arbitrary read and write files on the system, escalate privileges on sytem and perform denial of service (DoS).

Steps

First of all, it is necessary obtain a valid session by authenticating to the application with a low-privilege user account. The image below demonstrates the authentication with user ‘test’ (low privilege user):

The following image confirms that the session obtained in the previous step is from a low-privilege user:

The following images illustrate that the Event Handlers page is inaccessible from the low-privilege user session on the client side:

Knowing that, the low-privilege user’s session cookie was used to perform the request responsible for testing process commands through the event handler function. The following image demonstrates a command injection to read a sensitive system file:

The following image demonstrates the receipt of the command performed in the previous step:

Conclusion

The issue has been patched in SCADA-LTS v2.7.5.3 by developers team.

Special thanks to the Scada-LTS team for their attention and for receiving my report.

References

This post is licensed under CC BY 4.0 by the author.