Attack Chain

1. Attacker identifies a vulnerable Remote Sunrise Helper instance running on a Windows host.
2. The attacker sends a GET request to /api/getVersion to the target on port 49762 to verify the application version and check if authentication is disabled.
3. The application responds with a JSON object indicating the version and the value of requires.auth. If requires.auth is False, the system is vulnerable.
4. The attacker crafts a POST request to /api/executeScript with the X-Script header containing the command to execute.
5. The attacker sets the X-HostName, X-ClientToken, and X-HostFullModel headers.
6. The vulnerable application executes the command specified in the X-Script header.
7. The application returns the result of the executed command in JSON format.
8. The attacker gains remote code execution on the Windows host, potentially leading to further compromise.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary code on the affected Windows system. This could lead to complete system compromise, including data theft, installation of malware, or denial of service. The availability of a public exploit makes this vulnerability highly accessible to attackers.

Recommendation

• Apply appropriate mitigations to prevent unauthorized access to port 49762 used by Remote Sunrise Helper.
• Deploy the Sigma rule Detect Remote Sunrise Helper Vulnerability Check to identify systems potentially probing for the vulnerability.
• Deploy the Sigma rule Detect Remote Sunrise Helper Exploit to detect exploit attempts against the /api/executeScript endpoint.
• Monitor web server logs for POST requests to /api/executeScript with suspicious X-Script headers.