Advantech iView NetworkServlet Command Injection
Posted by deepcore on August 19, 2022 – 10:46 pm
Advantech iView software versions prior to 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backup_file to the mysqldump command. The sanitization functionality only tests for SQL injection attempts and directory traversal, so leveraging the -r and -w mysqldump flags permits exploitation. The command injection vulnerability is used to write a payload on the target and achieve remote code execution as NT AUTHORITYSYSTEM.
Post a reply
You must be logged in to post a comment.