CVE-2018-11311 PoC — mySCADA myPRO 安全漏洞

Source

https://github.com/EmreOvunc/mySCADA-myPRO-7-Hardcoded-FTP-Username-and-Password

Associated Vulnerability

Title:mySCADA myPRO 安全漏洞 (CVE-2018-11311)
Description:mySCADA myPRO是捷克共和国mySCADA Technologies公司的一套工业可视化控制系统。 mySCADA myPRO 7版本中的‘myscadagate.exe’文件存在安全漏洞，该漏洞源于程序使用了硬编码的FTP账户（用户名：myscada、密码：Vikuk63）。远程攻击者可借助该FTP账户利用该漏洞访问2121端口上的FTP服务器，上传文件或列出目录。

Description

CVE-2018-11311 | mySCADA myPRO 7 Hardcoded FTP Username and Password Vulnerability

Readme

# mySCADA myPRO 7 Hardcoded Credentials
# CVE-2018-11311

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11311

https://www.exploit-db.com/exploits/44656/

http://myscada.org/wp-content/uploads/downloads/BOXv7/changelog.txt

```
Changelog v7.0.46
-----------------
- fix of possible vulnerability as described here https://vuldb.com/?id.118038
  - This release disables download of project using FTP protocol. The download is performed over secure SSL channel now. 
  - You don't have to do anything to activate this, it is done automatically. After the installation restart your system TWICE please. 
- minor bug fixes - speed optimisation  
```


# I. Background
myPRO is a professional HMI/SCADA system designed primarily for the visualisation and control of industrial processes. myPRO is effective and innovative solution for any industry that needs to be under non-stop operation. myPRO guarantees reliable supervision, a userfriendly interface and superior security.
It supports Windows OS (32/64-bit), Mac OS X and Linux (32/64-bit) platforms.
(more: https://www.myscada.org/mypro/)

# II. Problem Description
In the latest version of myPRO (v7), it has been discovered that the ftp server's -running on port 2121- username and password information is kept in the file by using reverse engineering. Anyone who connects to an FTP server with an authorized account can upload or download files onto the server running myPRO software.

# III. Technical
Firstly, I found that what ports myPRO listened to. You can get information used by the netstat command about the ports and the services running on it. As you can see from the pictures, when you install myPRO, you can see many ports open. The vulnerability works on all supported platforms.

## (username:password) = (myscada:Vikuk63)

![alt tag](https://emreovunc.com/images/mySCADA_myPRO/open-ports.png)

![alt tag](https://emreovunc.com/images/mySCADA_myPRO/netstat-1.png)

![alt tag](https://emreovunc.com/images/mySCADA_myPRO/netstat-2.png)

In my first research on the Windows OS, myPRO has many process and I noticed that ‘myscadagate.exe’ is listening to port #2121. The 2121 port is important because it could be an ftp service.

![alt tag](https://emreovunc.com/images/mySCADA_myPRO/windows-processes.png)

![alt tag](https://emreovunc.com/images/mySCADA_myPRO/port-2121.png)

As you can see from the picture below, I found that they put the username and password (myscada:Vikuk63) in the source code. I obtained access by connecting to port 2121 of myPRO's server with any FTP client.

![alt tag](https://emreovunc.com/images/mySCADA_myPRO/username&password.png)

![alt tag](https://emreovunc.com/images/mySCADA_myPRO/file-upload-2.png)

![alt tag](https://emreovunc.com/images/mySCADA_myPRO/file-upload.png)

# IV. Solution
As a workaround you need to restrict port 2121 access from the outside. There is no permanent solution for the vendor because there is no patch available.

File Snapshot


 [4.0K]  /data/pocs/f3ffb38b2cd8c5ee0fff150088dedb651592774e
├── [2.9K]  README.md
└── [  16]  username-password.txt

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!