| शीर्षक | Industrial Application Software - IAS Canias ERP 8.03-- Code Injection - Remote Code Execution - (CWE-94/CWE-78) |
|---|
| विवरण | A critical vulnerability was found in Industrial Application Software caniasERP 8.03. It has been classified as critical. This issue affects the function doAction of the component CTI_TOOLBAR_RUNCODE of the RMI Interface on port 27499. The manipulation of the argument troiaCode with an iasCtiRunCodeEvent containing a RUNPROGRAM statement leads to OS command injection. The attack may be initiated remotely. A valid session is required, which is obtainable without authentication via a related unauthenticated session enumeration issue. The RUNPROGRAM statement passes its argument directly to
Runtime.getRuntime().exec() on the server host without any command validation, allowlist, or sandboxing. No role-based access control is enforced; automated CRONJOB sessions and regular user sessions alike can trigger unrestricted command execution. Exploitation has been demonstrated: issuing RUNPROGRAM 'cmd.exe /c whoami' WITH WAIT; returns the server hostname and service account name, confirming unrestricted OS command
execution on the host. When chained with the companion unauthenticated GETUSERLIST and session hijacking issues, a fully unauthenticated remote attacker achieves complete Remote Code Execution with no prior credentials.
Discovered by Bilal Güneş (@b1lal) of HawkTrace. |
|---|
| स्रोत | ⚠️ https://gist.github.com/0xb1lal/6ccc2356e7e0a26f7b8a6bd6f0d84bbb |
|---|
| उपयोगकर्ता | b1lal (UID 97312) |
|---|
| सबमिशन | 20/04/2026 05:41 PM (1 महीना पहले) |
|---|
| संयम | 09/05/2026 09:19 AM (19 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 362434 [Industrial Application Software IAS Canias ERP 8.03 RMI Interface Runtime.getRuntime.exec troiaCode अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|