| tiêu đề | Industrial Application Software - IAS Canias ERP 8.03-- Code Injection - Remote Code Execution - (CWE-94/CWE-78) |
|---|
| Mô tả | A critical vulnerability was found in Industrial Application Software caniasERP 8.03. It has been classified as critical. This issue affects the function doAction of the component CTI_TOOLBAR_RUNCODE of the RMI Interface on port 27499. The manipulation of the argument troiaCode with an iasCtiRunCodeEvent containing a RUNPROGRAM statement leads to OS command injection. The attack may be initiated remotely. A valid session is required, which is obtainable without authentication via a related unauthenticated session enumeration issue. The RUNPROGRAM statement passes its argument directly to
Runtime.getRuntime().exec() on the server host without any command validation, allowlist, or sandboxing. No role-based access control is enforced; automated CRONJOB sessions and regular user sessions alike can trigger unrestricted command execution. Exploitation has been demonstrated: issuing RUNPROGRAM 'cmd.exe /c whoami' WITH WAIT; returns the server hostname and service account name, confirming unrestricted OS command
execution on the host. When chained with the companion unauthenticated GETUSERLIST and session hijacking issues, a fully unauthenticated remote attacker achieves complete Remote Code Execution with no prior credentials.
Discovered by Bilal Güneş (@b1lal) of HawkTrace. |
|---|
| Nguồn | ⚠️ https://gist.github.com/0xb1lal/6ccc2356e7e0a26f7b8a6bd6f0d84bbb |
|---|
| Người dùng | b1lal (UID 97312) |
|---|
| Đệ trình | 20/04/2026 17:41 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 09/05/2026 09:19 (19 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 362434 [Industrial Application Software IAS Canias ERP 8.03 RMI Interface Runtime.getRuntime.exec troiaCode nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|