| 标题 | Industrial Application Software - IAS Canias ERP 8.03-- Information Disclosure |
|---|
| 描述 | A vulnerability classified as high was found in Industrial Application
Software caniasERP 8.03. This affects the doAction function of the Java
RMI Interface (default TCP port 27499). The manipulation of the argument
sessionId with an empty string value leads to unauthenticated information
disclosure.
It is possible to initiate the attack remotely without any form of
authentication. No user interaction is required for exploitation.
Successful exploitation allows an unauthenticated remote attacker to
retrieve a complete list of all active user sessions by sending a crafted
iasGetUserListEvent request. The server response discloses session IDs
(e.g. CRONJOB_76C9505836), usernames, client types (JAVA, WEB, CRONJOB),
login timestamps, and client IP addresses — without any authentication check.
The disclosed session IDs can be directly used to perform session hijacking,
enabling a complete pre-authentication Remote Code Execution (RCE) attack chain.
The vulnerability was identified through reverse engineering of the caniasERP
client JAR files. These JAR files are publicly distributed without authentication
via the application's JNLP launch endpoint (caniasout.jnlp), which is accessible
over HTTP without any credentials. Decompilation of the JAR files revealed the
RMI binding name format (XXXXXXXXS2OUT), the relevant event and response class
structure, and the absence of any server-side authentication check on the
GETUSERLIST handler. No unauthorized access to any production system was required
to discover or demonstrate this vulnerability. |
|---|
| 来源 | ⚠️ https://gist.github.com/0xb1lal/3ef872a445310c5866d07d6a5b1803fa |
|---|
| 用户 | b1lal (UID 97312) |
|---|
| 提交 | 2026-04-20 16時32分 (2 月前) |
|---|
| 管理 | 2026-05-09 09時19分 (19 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 362431 [Industrial Application Software IAS Canias ERP 8.03 RMI Interface doAction sessionId 弱身份验证] |
|---|
| 积分 | 20 |
|---|