Sign-up

ID

VAR-200801-0248


CVE

CVE-2008-0175


TITLE

GE-Fanuc Proficy Real-Time Information Portal Remote script upload and execution vulnerability

Trust: 0.8

sources: IVD: 06837a6c-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2008-0433

DESCRIPTION

Unrestricted file upload vulnerability in GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension to the main virtual directory. An attacker can run an executable server-side script ( Example: Windows Internet Information Server of ASP shell Etc.) or execute arbitrary commands with web server execution privileges. GE Fanuc Proficy Information Portal Is a web-based system status reporting system that connects production information systems and inter-enterprise networks and handles data such as production information online. This action could allow an attacker to access a vulnerable production information system.  The Proficy Real-Time Information Portal has a vulnerability in processing user requests, and remote attackers could use this vulnerability to control the server.  Proficy Real-Time Information Portal does not perform the correct Java RMI call to Add WebSource, allowing the user to set the name and path of the file location, and another parameter of the file itself is the base64-encoded content. A successful exploit can allow an attacker to upload arbitrary scripts and execute them in the context of the application. Proficy Real Time Information Portal 2.6 is vulnerable; other versions may also be affected. Background ----------------- GE-Fanuc's Proficy Information Portal 2.6 is a web based reporting application for the SCADA environment. As such it will usually be installed in a buffer zone between the SCADA and the corporate network, which makes it a very sensitive application as it can reach both networks. Impact ---------- An authenticated attacker can compromise the server running Proficy Information Portal, enabling him to progress to the control/process network. Workaround/Fix ----------------------- Vendor fix will be available by Feb 15th. A possible workaround is to remove the write permission of the IIS user from the Proficy directory. Additional Information ------------------------------- For additional information please contact us at info@c4-security.com. Note that we will respond only to verified utility personnel and governmental agencies. The CVE identifier assigned to this vulnerability by CERT is CVE-2008-0175 Credit -------- This vulnerability was discovered and exploited by Eyal Udassin of C4. Regards, Eyal Udassin - C4 (Formerly Swift Coders) 33 Jabotinsky St. The Twin Towers #1, Ramat Gan, Israel eyal.udassin@c4-security.com / www.c4-security.com <http://www.c4-security.com/> +972-547-684989 . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Proficy Real-Time Information Portal "Add WebSource" File Upload Vulnerability SECUNIA ADVISORY ID: SA28678 VERIFY ADVISORY: http://secunia.com/advisories/28678/ CRITICAL: Less critical IMPACT: System access WHERE: >From local network SOFTWARE: Proficy Real-Time Information Portal 2.x http://secunia.com/product/17343/ DESCRIPTION: Eyal Udassin has reported a vulnerability in Proficy Real-Time Information Portal, which can be exploited by malicious users to compromise a vulnerable system. The vulnerability is caused due to an error in the "Add WebSource" feature when handling file uploads. This can be exploited to e.g. The vulnerability is reported in version 2.6. Other versions may also be affected. SOLUTION: The vendor will reportedly release a SIM (Software Improvement Module) by February 15, 2008. PROVIDED AND/OR DISCOVERED BY: Eyal Udassin, C4 Security ORIGINAL ADVISORY: GE Fanuc (KB12460): http://support.gefanuc.com/support/index?page=kbchannel&id=KB12460 C4 Security (via BugTraq): http://archives.neohapsis.com/archives/bugtraq/2008-01/0373.html OTHER REFERENCES: US-CERT VU#339345: http://www.kb.cert.org/vuls/id/339345 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.51

sources: NVD: CVE-2008-0175 // CERT/CC: VU#339345 // JVNDB: JVNDB-2008-001055 // CNVD: CNVD-2008-0433 // BID: 27446 // IVD: 06837a6c-2352-11e6-abef-000c29c66e3d // PACKETSTORM: 63005 // PACKETSTORM: 63060

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 06837a6c-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2008-0433

AFFECTED PRODUCTS

vendor:ge fanucmodel:proficy real-time information portalscope:lteversion:2.6

Trust: 1.8

vendor:ge fanucmodel: - scope: - version: -

Trust: 0.8

vendor:nonemodel: - scope: - version: -

Trust: 0.6

vendor:ge fanucmodel:proficy real-time information portalscope:eqversion:2.6

Trust: 0.6

vendor:gemodel:fanuc proficy real-time information portalscope:eqversion:2.6

Trust: 0.3

vendor:gemodel:fanuc proficy real-time information portalscope:eqversion:0

Trust: 0.3

vendor:proficy real time information portalmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 06837a6c-2352-11e6-abef-000c29c66e3d // CERT/CC: VU#339345 // CNVD: CNVD-2008-0433 // BID: 27446 // JVNDB: JVNDB-2008-001055 // CNNVD: CNNVD-200801-409 // NVD: CVE-2008-0175

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-0175
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#339345
value: 0.84

Trust: 0.8

NVD: CVE-2008-0175
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200801-409
value: HIGH

Trust: 0.6

IVD: 06837a6c-2352-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2008-0175
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

IVD: 06837a6c-2352-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 06837a6c-2352-11e6-abef-000c29c66e3d // CERT/CC: VU#339345 // JVNDB: JVNDB-2008-001055 // CNNVD: CNNVD-200801-409 // NVD: CVE-2008-0175

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-DesignError

Trust: 0.8

sources: JVNDB: JVNDB-2008-001055 // NVD: CVE-2008-0175

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200801-409

TYPE

Design error

Trust: 0.8

sources: IVD: 06837a6c-2352-11e6-abef-000c29c66e3d // CNNVD: CNNVD-200801-409

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-001055

PATCH
title:Securing Your HMI/SCADA Systemsurl:http://www.gefanuc.com/as_en/gefanuc/resource_center/hmi_scada/hmiscada_security.html
Trust: 0.8
title:KB12460url:http://support.gefanuc.com/support/index?page=kbchannel&id=KB12460
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-001055

EXTERNAL IDS
db:NVDid:CVE-2008-0175
Trust: 3.6
db:CERT/CCid:VU#339345
Trust: 3.0
db:BIDid:27446
Trust: 2.7
db:SECUNIAid:28678
Trust: 2.6
db:SECTRACKid:1019274
Trust: 2.4
db:VUPENid:ADV-2008-0307
Trust: 1.6
db:SREASONid:3591
Trust: 1.6
db:CNVDid:CNVD-2008-0433
Trust: 0.8
db:CNNVDid:CNNVD-200801-409
Trust: 0.8
db:PACKETSTORMid:0811
Trust: 0.8
db:JVNDBid:JVNDB-2008-001055
Trust: 0.8
db:BUGTRAQid:20080125 C4 SECURITY ADVISORY - GE FANUC PROFICY INFORMATION PORTAL 2.6 ARBITRARY FILE UPLOAD AND EXECUTION
Trust: 0.6
db:BUGTRAQid:20080129 RE: C4 SECURITY ADVISORY - GE FANUC PROFICY INFORMATION PORTAL 2.6 ARBITRARY FILE UPLOAD AND EXECUTION
Trust: 0.6
db:IVDid:06837A6C-2352-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:PACKETSTORMid:63005
Trust: 0.1
db:PACKETSTORMid:63060
Trust: 0.1
sources:
            
            
            IVD: 06837a6c-2352-11e6-abef-000c29c66e3d // 
            
            
            
            CERT/CC: VU#339345 // 
            
            
            
            CNVD: CNVD-2008-0433 // 
            
            
            
            BID: 27446 // 
            
            
            
            JVNDB: JVNDB-2008-001055 // 
            
            
            
            PACKETSTORM: 63005 // 
            
            
            
            PACKETSTORM: 63060 // 
            
            
            
            CNNVD: CNNVD-200801-409 // 
            
            
            
            NVD: CVE-2008-0175

REFERENCES
url:http://support.gefanuc.com/support/index?page=kbchannel&id=kb12460
Trust: 2.8
url:http://secunia.com/advisories/28678
Trust: 2.4
url:http://www.securityfocus.com/bid/27446
Trust: 2.4
url:http://www.securitytracker.com/id?1019274
Trust: 2.4
url:http://www.kb.cert.org/vuls/id/339345
Trust: 2.2
url:http://securityreason.com/securityalert/3591
Trust: 1.6
url:http://www.securityfocus.com/archive/1/487079/100/0/threaded
Trust: 1.0
url:http://www.securityfocus.com/archive/1/487242/100/0/threaded
Trust: 1.0
url:http://www.vupen.com/english/advisories/2008/0307/references
Trust: 1.0
url:http://www.securityfocus.com/archive/1/487079/30/0/threaded
Trust: 0.8
url:http://packetstormsecurity.org/0811-exploits/hooked_on_fanucs.rb.txt
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0175
Trust: 0.8
url:http://jvn.jp/cert/jvnvu%23339345/index.html
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2008-0175
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/487079/100/0/threaded
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/487242/100/0/threaded
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2008/0307/references
Trust: 0.6
url:http://www.us-cert.gov/current/index.html#ge_fanuc_product_vulnerabilities
Trust: 0.3
url:http://www.gefanuc.com/as_en/products_solutions/production_management/products/proficy_portal.html
Trust: 0.3
url:/archive/1/487079
Trust: 0.3
url:/archive/1/487242
Trust: 0.3
url:http://www.c4-security.com/>
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2008-0175
Trust: 0.1
url:http://secunia.com/product/17343/
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:https://psi.secunia.com/?page=changelog
Trust: 0.1
url:https://psi.secunia.com/
Trust: 0.1
url:http://secunia.com/advisories/28678/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://archives.neohapsis.com/archives/bugtraq/2008-01/0373.html
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            CERT/CC: VU#339345 // 
            
            
            
            BID: 27446 // 
            
            
            
            JVNDB: JVNDB-2008-001055 // 
            
            
            
            PACKETSTORM: 63005 // 
            
            
            
            PACKETSTORM: 63060 // 
            
            
            
            CNNVD: CNNVD-200801-409 // 
            
            
            
            NVD: CVE-2008-0175

CREDITS
Eyal Udassin of C4
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200801-409

SOURCES
db:IVDid:06837a6c-2352-11e6-abef-000c29c66e3d
db:CERT/CCid:VU#339345
db:CNVDid:CNVD-2008-0433
db:BIDid:27446
db:JVNDBid:JVNDB-2008-001055
db:PACKETSTORMid:63005
db:PACKETSTORMid:63060
db:CNNVDid:CNNVD-200801-409
db:NVDid:CVE-2008-0175

LAST UPDATE DATE
2025-04-10T23:00:36.707000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#339345date:2008-12-18T00:00:00
db:CNVDid:CNVD-2008-0433date:2008-01-24T00:00:00
db:BIDid:27446date:2008-11-04T17:55:00
db:JVNDBid:JVNDB-2008-001055date:2008-02-07T00:00:00
db:CNNVDid:CNNVD-200801-409date:2008-09-05T00:00:00
db:NVDid:CVE-2008-0175date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:IVDid:06837a6c-2352-11e6-abef-000c29c66e3ddate:2008-01-24T00:00:00
db:CERT/CCid:VU#339345date:2008-01-25T00:00:00
db:CNVDid:CNVD-2008-0433date:2008-01-24T00:00:00
db:BIDid:27446date:2008-01-24T00:00:00
db:JVNDBid:JVNDB-2008-001055date:2008-02-07T00:00:00
db:PACKETSTORMid:63005date:2008-01-26T00:12:46
db:PACKETSTORMid:63060date:2008-01-29T00:00:58
db:CNNVDid:CNNVD-200801-409date:2008-01-28T00:00:00
db:NVDid:CVE-2008-0175date:2008-01-29T02:00:00