| Название | Industrial Application Software - IAS Canias ERP 8.03-- Code Injection - Remote Code Execution - (CWE-94/CWE-78) |
|---|
| Описание | A critical vulnerability was found in Industrial Application Software caniasERP 8.03. It has been classified as critical. This issue affects the function doAction of the component CTI_TOOLBAR_RUNCODE of the RMI Interface on port 27499. The manipulation of the argument troiaCode with an iasCtiRunCodeEvent containing a RUNPROGRAM statement leads to OS command injection. The attack may be initiated remotely. A valid session is required, which is obtainable without authentication via a related unauthenticated session enumeration issue. The RUNPROGRAM statement passes its argument directly to
Runtime.getRuntime().exec() on the server host without any command validation, allowlist, or sandboxing. No role-based access control is enforced; automated CRONJOB sessions and regular user sessions alike can trigger unrestricted command execution. Exploitation has been demonstrated: issuing RUNPROGRAM 'cmd.exe /c whoami' WITH WAIT; returns the server hostname and service account name, confirming unrestricted OS command
execution on the host. When chained with the companion unauthenticated GETUSERLIST and session hijacking issues, a fully unauthenticated remote attacker achieves complete Remote Code Execution with no prior credentials.
Discovered by Bilal Güneş (@b1lal) of HawkTrace. |
|---|
| Источник | ⚠️ https://gist.github.com/0xb1lal/6ccc2356e7e0a26f7b8a6bd6f0d84bbb |
|---|
| Пользователь | b1lal (UID 97312) |
|---|
| Представление | 20.04.2026 17:41 (1 месяц назад) |
|---|
| Модерация | 09.05.2026 09:19 (19 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 362434 [Industrial Application Software IAS Canias ERP 8.03 RMI Interface Runtime.getRuntime.exec troiaCode эскалация привилегий] |
|---|
| Баллы | 20 |
|---|