Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/windows/scada/mypro_cmdexe.md
Views: 11789
Vulnerable Application
Vulnerability Description
This module exploits a command injection vulnerability in mySCADA MyPRO <= v8.28.0 (CVE-2023-28384).
An authenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of NT AUTHORITY\SYSTEM. This module uses the default admin:admin credentials, but any account configured on the system can be used to exploit this issue.
Versions <= 8.28.0 are affected. CISA published ICSA-23-096-06 to cover the security issues. The official changelog for the updated version, v8.29.0, is available here, although it only mentions a "General security improvement" without further details.
Vulnerable Application Installation
A trial version of the software can be obtained from the vendor. For the product to work correctly, the project and log directories need to be configured first, which can be done through the web inteface (navigate to System > Storage).
Successfully tested on
mySCADA MyPRO 8.28.0 on Windows 10 22H2
mySCADA MyPRO 8.27.0 on Windows 10 22H2
mySCADA MyPRO 8.26.0 on Windows 10 22H2
Verification Steps
Install the application
Configure the project and log paths (System > Storage in the web interface, running by default on TCP ports 80 & 443)
Start
msfconsoleand run the following commands:
You should get a meterpreter session in the context of NT AUTHORITY\SYSTEM.
Options
USERNAME
The username of a MyPRO user (default: admin)
PASSWORD
The associated password of the MyPRO user (default: admin)
Scenarios
Running the exploit against MyPRO v8.28.0 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the following: