| 제목 | Industrial Application Software - IAS Canias ERP 8.03-- Code Injection - Remote Code Execution - (CWE-94/CWE-78) |
|---|
| 설명 | A critical vulnerability was found in Industrial Application Software caniasERP 8.03. It has been classified as critical. This issue affects the function doAction of the component CTI_TOOLBAR_RUNCODE of the RMI Interface on port 27499. The manipulation of the argument troiaCode with an iasCtiRunCodeEvent containing a RUNPROGRAM statement leads to OS command injection. The attack may be initiated remotely. A valid session is required, which is obtainable without authentication via a related unauthenticated session enumeration issue. The RUNPROGRAM statement passes its argument directly to
Runtime.getRuntime().exec() on the server host without any command validation, allowlist, or sandboxing. No role-based access control is enforced; automated CRONJOB sessions and regular user sessions alike can trigger unrestricted command execution. Exploitation has been demonstrated: issuing RUNPROGRAM 'cmd.exe /c whoami' WITH WAIT; returns the server hostname and service account name, confirming unrestricted OS command
execution on the host. When chained with the companion unauthenticated GETUSERLIST and session hijacking issues, a fully unauthenticated remote attacker achieves complete Remote Code Execution with no prior credentials.
Discovered by Bilal Güneş (@b1lal) of HawkTrace. |
|---|
| 원천 | ⚠️ https://gist.github.com/0xb1lal/6ccc2356e7e0a26f7b8a6bd6f0d84bbb |
|---|
| 사용자 | b1lal (UID 97312) |
|---|
| 제출 | 2026. 04. 20. PM 05:41 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 09. AM 09:19 (19 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 362434 [Industrial Application Software IAS Canias ERP 8.03 RMI Interface Runtime.getRuntime.exec troiaCode 권한 상승] |
|---|
| 포인트들 | 20 |
|---|