CVE-2018-7777
published 2018-07-03CVE-2018-7777: The vulnerability is due to insufficient handling of update_file request parameter on update_module.php in Schneider Electric U.motion Builder software…
PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
31.80%
98.1th percentile
The vulnerability is due to insufficient handling of update_file request parameter on update_module.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| schneider-electric | u.motion_builder | < 1.3.4 | 1.3.4 |
| schneider_electric_se | u.motion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x1f\x8b
- →Detect POST requests to /umotion/modules/system/update_module.php where the multipart filename field (update_file) contains semicolons, indicating command injection via the filename parameter. ↗
- →Look for the multipart boundary string '----------lImIt_of_THE_fIle_eW_$' in HTTP request bodies, which is a static indicator used by the public exploit. ↗
- →Monitor for the X-Requested-With: XMLHttpRequest header combined with a POST to update_module.php and a multipart/form-data body containing 'choose_update_mode=MANUAL' and 'step=2'. ↗
- →Alert on HTTP requests to /umotion/modules/system/externalframe.php used as the Referer header alongside exploitation of update_module.php. ↗
- →Detect reverse shell attempts originating from the U.Motion server process on port 4444, consistent with 'nc -e $SHELL' payload delivery. ↗
- →The exploit regex pattern for cookie extraction is 'PHPSESSID=(.{26});.*loginSeed=(.{32})' — monitor for both cookies being set simultaneously as a login indicator before exploitation. ↗
- ·The vulnerability requires authentication; the attacker must first obtain valid credentials and log in via user_login.php before exploiting update_module.php. ↗
- ·The exploit targets versions prior to v1.3.4; the exploit title references 1.3.4 but the NVD description clarifies the vulnerable range is versions *prior to* v1.3.4. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w7gw-jv4v-mw2x: The vulnerability is due to insufficient handling of update_file request parameter on update_module
ghsa_unreviewed·2022-05-13
CVE-2018-7777 [HIGH] CWE-20 GHSA-w7gw-jv4v-mw2x: The vulnerability is due to insufficient handling of update_file request parameter on update_module
The vulnerability is due to insufficient handling of update_file request parameter on update_module.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server.
CISA ICS
Schneider Electric U.motion Builder (Update A)
cisa_ics·2017-06-29·CVSS 9.8
[CRITICAL] Schneider Electric U.motion Builder (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Schneider Electric U.motion Builder (Update A)
Last RevisedJanuary 08, 2019
Alert CodeICSA-17-180-02
## 1. EXECUTIVE SUMMARY
-
CVSS v3 10.0
- ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
- Vendor: Schneider Electric
- Equipment: U.motion Builder
--------- Begin Update A Part 1 of 5 --------
- Vulnerabilities: SQL Injection, Path Traversal, Improper Authentication, Use of Hard-Coded Password, Improper Access Control, Denial of Service, Information Disclosure, Improper Input Validation, Improper Control of Generation of Code
----
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156184/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.htmlhttps://www.schneider-electric.com/en/download/document/SEVD-2018-095-01/http://packetstormsecurity.com/files/156184/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.htmlhttps://www.schneider-electric.com/en/download/document/SEVD-2018-095-01/
2018-07-03
Published