| Título | Industrial Application Software - IAS Canias ERP 8.03-- Code Injection - Remote Code Execution - (CWE-94/CWE-78) |
|---|
| Descrição | A critical vulnerability was found in Industrial Application Software caniasERP 8.03. It has been classified as critical. This issue affects the function doAction of the component CTI_TOOLBAR_RUNCODE of the RMI Interface on port 27499. The manipulation of the argument troiaCode with an iasCtiRunCodeEvent containing a RUNPROGRAM statement leads to OS command injection. The attack may be initiated remotely. A valid session is required, which is obtainable without authentication via a related unauthenticated session enumeration issue. The RUNPROGRAM statement passes its argument directly to
Runtime.getRuntime().exec() on the server host without any command validation, allowlist, or sandboxing. No role-based access control is enforced; automated CRONJOB sessions and regular user sessions alike can trigger unrestricted command execution. Exploitation has been demonstrated: issuing RUNPROGRAM 'cmd.exe /c whoami' WITH WAIT; returns the server hostname and service account name, confirming unrestricted OS command
execution on the host. When chained with the companion unauthenticated GETUSERLIST and session hijacking issues, a fully unauthenticated remote attacker achieves complete Remote Code Execution with no prior credentials.
Discovered by Bilal Güneş (@b1lal) of HawkTrace. |
|---|
| Fonte | ⚠️ https://gist.github.com/0xb1lal/6ccc2356e7e0a26f7b8a6bd6f0d84bbb |
|---|
| Utilizador | b1lal (UID 97312) |
|---|
| Submissão | 20/04/2026 17h41 (há 2 meses) |
|---|
| Moderação | 09/05/2026 09h19 (19 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 362434 [Industrial Application Software IAS Canias ERP 8.03 RMI Interface Runtime.getRuntime.exec troiaCode Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|