Scada-LTS - Privilege escalation to RCE (CVE-2023-33472)
Introduction
A few months ago I decided to use Scada-LTS in a communication test with a certain microcontroller, I realized that the project has been updated frequently and seems to have a very active community to maintain it. That’s when I decided to validate some features that were vulnerable in the ScadaBR project.
Vulnerability information
- CVE-ID: CVE-2023-33472
- Vulnerability Type: Incorrect Access Control
- Affected Product Code Base: Scada-LTS v2.7.5.2 build 4551883606 (or previous versions)
- Attack Type: Remote
- Impact: Privilege escalation, command execution, arbitrary file read and write, information leakage and service unavailability.
- Attack Vectors: To exploit the vulnerability, it is required to be authenticated with a low privilege user.
Description
A privilege escalation issue was discovered in Scada-LTS v2.7.5.2 build 4551883606 allows remote attackers, authenticated in the application as a low-privileged user to perform remote code execution (RCE) through ‘Event Handlers’ feature.
It was possible to identify that Scada-LTS has an administrative feature called Event Handlers, through which it is possible to execute actions and commands within the application server.
Knowing this point, it was identified that a low-privilege user can consume this function in an unauthorized way, thus performing command injection to exfiltrate sensitive information from the system, arbitrary read and write files on the system, escalate privileges on sytem and perform denial of service (DoS).
Steps
First of all, it is necessary obtain a valid session by authenticating to the application with a low-privilege user account. The image below demonstrates the authentication with user ‘test’ (low privilege user):
The following image confirms that the session obtained in the previous step is from a low-privilege user:
In turn, the following images demonstrate that through the client-side, it is not possible to view the Event Handlers page from the low-privilege user session:
Knowing that, the low-privilege user’s session cookie was used to perform the request responsible for testing process commands through the event handler function. The following image demonstrates a command injection to read a sensitive system file:
The following image demonstrates the receipt of the command performed in the previous step:
Conclusion
The issue has been patched in SCADA-LTS v2.7.5.3 by developers team.
Special thanks to the Scada-LTS team for their attention and for receiving my report.