High
CVE-2023-1133
CVE-2023-1133
Description
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. The service accepts the unverified UDP packets and deserializes the content, which could allow an unauthenticated attacker to remotely execute arbitrary code.
Add Assessment
Technical Analysis
Rating this vulnerability as high value given the ease of exploitation. The Device-Gateway-Status process accepts UDP packets without authentication and deserializes its contents, leading to RCE.
The .NET deserialization vulnerability occurs at the initial processing of UDP packets in the method ParseUDPPacket().
The method first checks that the first byte of the packet is 1, and then it determines the length of the packet by viewing the second and third bytes. The method will then read all of the contents following the first three bytes into an array, and then InfraSuiteManager.Common.Serialization.DeSerializeBinary() is called with the array passed in. We can see that if DeSerializeBinary() succeeds, the deserialized contents are assigned to the sPacketData.sHeader field.
The DeSerializeBinary()method calls BinaryFormatter.Deserialize() on the packet header, allowing for code execution.
Sending a UDP packet with just the packet header is valid and will be deserialized, so exploitation is as simple as sending the following over a UDPSocket in Ruby:
"\x01#{[ payload.length ].pack('n')}#{payload}"
The following ysoserial.net gadget chains work against version 01.00.00d of the software:
- ClaimsIdentity
- ClaimsPrincipal
- RolePrincipal
- SessionViewStateHistoryItem
- WindowsIdentity
One caveat of exploitation is that it spawns a cmd window. Still encourage prioritizing a patch for this one.
CVSS V3 Severity and Metrics
General Information
Vendors
- deltaww
Products
- infrasuite device master
Metasploit Modules
