Industrial Application Software Canias ERP OS Command Injection Vulnerability in RMI Interface

A command injection vulnerability has been identified in Industrial Application Software Canias ERP version 8.03. The issue arises in the RMI interface component, specifically within the 'Runtime.getRuntime.exec' function. By manipulating the 'troiaCode' argument, an attacker can inject operating system commands, leading to unauthorized command execution. This vulnerability can be exploited remotely, and a proof-of-concept exploit has been made public.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, with the executed commands running under the privileges of the Canias ERP service account.

Reproduction

The vulnerability can be reproduced by sending a request to the RMI interface 'iasServerRemoteInterface.doAction()' with a crafted 'troiaCode' argument that includes the desired OS command. This can be done using a Java application that connects to the RMI registry on the default port 27499, hijacks an active session, and executes the command injection payload. The output of the executed commands can be read back through a file transfer mechanism provided by the application.