Associated Vulnerability
Title:Sage X3 AdxAdmin Unauthenticated Command Execution Bypass by Spoofing (CVE-2020-7388)Description:Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.
Description
Proof of concept exploit code for CVE-2020-7388, an unauthenticated RCE as SYSTEM on Sage X3's AdxDSrv Service
Readme
# sagex3-cve-2020-7388-poc
Proof of concept exploit code for CVE-2020-7388, an unauthenticated RCE as SYSTEM on Sage X3's AdxDSrv Service
## Overview
Sage X3 exposes an administrative service on port TCP/1818 (default, but changeable) under the process "AdxDSrv.exe," part of the AdxAdmin component. This service is used for remote administration of the Sage ERP solution through the Sage X3 Console. A vulnerability within the service allows a malicious actor to craft a request to the exposed service to execute commands on the server as the "NT AUTHORITY/SYSTEM" user.
Detailed exploit write-up can be found from our original publication on Rapid7's blog: https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/
## Exploit details
AdxDSrv runs on TCP port 1818 by default, and is listed as an unknown service in Namp. This repository contains two NSE scripts to identify vulnerable services and the AdxdSrv itself.
`python3 adxsrv_bypass.py --cmd <command to run as SYSTEM> --ip <remote target> --port <port of AdxDSrv service>`
### Crude PoC warning
Note: this is a rough PoC, sending byte-streams in specific order, and might need adjustments made. Our limitied time with access to the software prevented fine-tuning the exploits. If you encounter a vulnerable instance and fix up the PoC, please submit a PR! Or if you're trying to fix it up and want to collaborate, feel free to reach out.
## Credits
During a network penetration test in 2020, Cale Black identified new vulnerabilities in the web admin panel of Sage's X3 ERP. This prompted further investigation into the application between Jonathan peterson (@deadjakk), Aaron Herndon (@ac3lives), Cale Black, Ryan Villarreal (@XjCrazy09) and William Vu. We dove in and identified the AdxDSrv custom Sage X3 service, which was used for remote administration. After some reversing and fuzzing, we landed with four CVEs, one being a CVSS10 unauth remote code exec. Major shoutout to the heavy weight lifter here, @Deadjakk, for a lot of the reversing and initial PoC mockups.
File Snapshot
[4.0K] /data/pocs/db20438efdb12cf5a4f53bf6d1cdf6eb16824cbc
├── [7.8K] adxsrv_bypass.py
├── [2.0K] README.md
├── [ 951] x3-adxsrv.nse
└── [1.3K] x3-adxsrv-vuln.nse
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →