CVE-2019-10123
published 2019-05-31CVE-2019-10123: SQL Injection in Advanced InfoData Systems (AIS) ESEL-Server 67 (which is the backend for the AIS logistics mobile app) allows an anonymous attacker to execute…
PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
65.85%
99.2th percentile
SQL Injection in Advanced InfoData Systems (AIS) ESEL-Server 67 (which is the backend for the AIS logistics mobile app) allows an anonymous attacker to execute arbitrary code in the context of the user of the MSSQL database. The default user for the database is the 'sa' user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ais | logistic_software | <= 67 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xFF + 000000 + \xFF + 20180810213226 + \xFF + 01 + \xFF + 60 + \xFF + 02 + \xFF + 1111 + \xFF + <pw> + \xFF + AAAAA + \xFF + 120
- →Monitor TCP traffic to/from port 5099 (and 5100) for login messages containing the 0xFF delimiter pattern with embedded SQL injection payloads (e.g., single-quote followed by SQL keywords such as OR, EXEC, xp_cmdshell). ↗
- →Alert on xp_cmdshell enablement and execution attempts originating from the ESEL server process or MSSQL 'sa' user context, as the exploit explicitly enables and calls xp_cmdshell to achieve RCE. ↗
- →Look for payload executables dropped in the %TEMP% folder of the user running the ESEL server, as the exploit leaves a payload executable behind after execution. ↗
- →Detect wcsript.exe (note: likely a typo for wscript.exe) spawned as a child of the MSSQL or ESEL server process, as the VBS CmdStager uses it to reconstruct and execute the payload. ↗
- →The ESEL login protocol uses 0xFF as a field delimiter with a fixed structure including the literal timestamp '20180810213226' and fields '000000', '01', '60', '02', '1111', 'AAAAA', '120'. Network signatures matching this structure on port 5099 can identify ESEL traffic for deeper inspection. ↗
- ·The exploit targets the default 'sa' MSSQL user. If the ESEL server has been configured to use a lower-privileged database account, xp_cmdshell enablement and OS command execution may fail, reducing the impact of exploitation. ↗
- ·The module was verified on ESEL-Server version 67 but is expected to work on lower versions as well. A fixed version was released by AIS in September 2017, but many systems remain unpatched. ↗
- ·The CmdStager flavor is VBS ('wcsript.exe'), meaning endpoint defenses that block or monitor wscript.exe/VBScript execution will interrupt the payload delivery chain. ↗
- ·The protocol imposes no maximum data size limit, meaning arbitrarily large payloads can be sent in a single login message without fragmentation constraints. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL IMAP login buffer overflow attempt
suricata·2010-09-23
CVE-1999-0005 GPL IMAP login buffer overflow attempt
GPL IMAP login buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, cve CVE_1999_0005, confidence High, signature_severity Major, updated_at 2019_07_26;)
Exploit-DB
AIS logistics ESEL-Server - Unauthenticated SQL Injection Remote Code Execution (Metasploit)
exploitdb·2019-04-30
CVE-2019-10123 AIS logistics ESEL-Server - Unauthenticated SQL Injection Remote Code Execution (Metasploit)
AIS logistics ESEL-Server - Unauthenticated SQL Injection Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'AIS logistics ESEL-Server Unauth SQL Injection RCE',
'Description' => %q{
This module will execute an arbitrary payload on an "ESEL" server used by the
AIS logistic software. The server typically listens on port 5099 without TLS.
There could also be server listening on 5100 with TLS but the port 5099 is
usually always open.
The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
with the 'sa' user is in place.
This module was verified on version 67 but it should also run on lower versions.
An fixed version was c
Metasploit
AIS logistics ESEL-Server Unauth SQL Injection RCE
metasploit
AIS logistics ESEL-Server Unauth SQL Injection RCE
AIS logistics ESEL-Server Unauth SQL Injection RCE
This module will execute an arbitrary payload on an "ESEL" server used by the AIS logistic software. The server typically listens on port 5099 without TLS. There could also be server listening on 5100 with TLS but the port 5099 is usually always open. The login process is vulnerable to an SQL Injection. Usually a MSSQL Server with the 'sa' user is in place. This module was verified on version 67 but it should also run on lower versions. An fixed version was created by AIS in September 2017. However most systems have not been updated. In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed
No writeups or analysis indexed.
2019-05-31
Published