Kingdee ERP Remote Code Execution (RCE) Scanner

Kingdee ERP is a prominent enterprise resource planning software used by businesses worldwide for optimizing and managing day-to-day business activities such as accounting, procurement, project management, and supply chain operations. Organizations use Kingdee ERP to integrate various business functions into a unified system, thereby improving workflow and data accuracy. The primary function of Kingdee ERP is to facilitate finance and human resources operations while ensuring data consistency across departments. Due to its wide adoption in different industries, Kingdee ERP serves a critical role in helping businesses streamline operations. The software is favored for its capabilities in supporting business process customization and scalability to fit company-specific needs. Its comprehensive features attract small and large enterprises alike, who rely on it for maintaining efficient business processes.

The vulnerability detected in Kingdee ERP pertains to Remote Code Execution (RCE), which is a serious threat allowing attackers to execute arbitrary commands on a remote server. Through this vulnerability, unauthorized users can gain control over the application's environment and manipulate system operations. Remote Code Execution vulnerabilities are high-severity due to their potential impact on both data confidentiality and system integrity. They exploit weaknesses in application input validation, making systems susceptible to control by external, unauthorized entities. The existence of such vulnerabilities in ERP systems can lead to unauthorized access to sensitive business data, resulting in severe financial and operational repercussions. Detecting and addressing these vulnerabilities is essential for maintaining robust security within any organization's IT infrastructure.

The Kingdee ERP RCE vulnerability occurs via the "/k3cloud/SRM/ScpSupRegHandler" endpoint by manipulating file upload processes. The vulnerability can be exploited through the "FAtt" parameter, which accepts a maliciously crafted file. Attackers leverage this file upload functionality to execute arbitrary administrative commands on the system. Successful exploitation is possible by embedding harmful shell commands within a POST request to the target endpoint. This manipulation results in command injection, allowing attackers to run unauthorized operations remotely. By exploiting this vulnerable endpoint, attackers effectively bypass authentication controls, posing significant risks to affected systems. Addressing this vulnerability is critical to prevent exploitation and unauthorized code execution by malicious users.

Exploiting the Kingdee ERP RCE vulnerability can lead to devastating consequences for organizations. Malicious actors can gain privileged access to sensitive company data, leading to data theft or corruption, and compromising the confidentiality of business operations. There is a high risk of unauthorized system manipulation, where attackers can initiate harmful processes or delete essential files. The affected systems can also become unintended participants in a botnet, facilitating further cyberattacks against other systems. Financial losses could ensue not only from data breaches but also from potential disruptions to business operations. Consequently, this vulnerability severely threatens corporate reputation, leading to a loss of client trust and competitive disadvantage if not addressed timely and thoroughly.

REFERENCES

• https://github.com/yuziiiiiiiiii/Kingdee_k3cloud-ScpSupRegHandler-Upload-POC
• https://peiqi.wgpsec.org/wiki/oa/%E9%87%91%E8%9D%B6OA/%E9%87%91%E8%9D%B6OA%20%E4%BA%91%E6%98%9F%E7%A9%BA%20ScpSupRegHandler%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
• https://github.com/yangbaopeng/ashx_webshell/blob/master/shell.ashx
• http://124.71.115.20/k3cloud/uploadfiles/test.ashx?cmd=whoami%26%26ipconfig