exploit the possibilities

FANUC Robotics Virtual Robot Controller 8.23 Buffer Overflow

FANUC Robotics Virtual Robot Controller 8.23 Buffer Overflow
Posted Jul 16, 2019
Authored by Sebastian Hamann

FANUC Robotics Virtual Robot Controller version 8.23 suffers from a stack-based buffer overflow vulnerability.

tags | exploit, overflow
advisories | CVE-2019-13585
MD5 | 24accc856caa22d0d70441294d2efb6a

FANUC Robotics Virtual Robot Controller 8.23 Buffer Overflow

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-024
Product: FANUC Robotics Virtual Robot Controller
Manufacturer: FANUC Robotics America, Inc.
Affected Version(s): V8.23
Tested Version(s): V8.23
Vulnerability Type: Stack-based Buffer Overflow (CWE-121)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-05-22
Solution Date: ?
Public Disclosure: 2019-07-15
CVE Reference: CVE-2019-13585
Author of Advisory: Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

FANUC Robotics Virtual Robot Controller is an application for
programming simulated industry robots.

Due to a stack-based buffer overflow, the remote admin web server
(vrimserve.exe) is vulnerable to denial-of-service and remote code
execution attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

vrimserve.exe offers an HTTP service on TCP port 8090, which can be used
to control virtual robots and view their log files.

A buffer overflow vulnerability was discovered in the log viewer
functionality. By sending a specially crafted HTTP request to the HTTP
server, the application can be crashed causing a denial-of-service
condition.

Remote code execution may also be possible, but was not confirmed
by SySS GmbH. Gaining control over the instruction pointer (EIP) of this
32 bit application by exploiting the stack-based buffer overflow
vulnerability was successful.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH developed a proof-of-concept exploit that crashes
vrimserve.exe. It is to note that the exploit gives control over the EIP
register, which is an important prerequisite for remote code execution.

curl "http://${target_host}:8090/namedrobots/folder/dir/<1268 bytes>BBBBCCCCCCCCC"

The bytes denoted as B overwrite the EIP register.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has not yet released a security update.

It is recommended not making the remote admin web server (vrimserve.exe)
available to untrusted networks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-04-23: Vulnerability discovered
2019-05-22: Vulnerability reported to manufacturer
2019-07-15: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Manufacturer website:
https://www.fanucamerica.com/
[2] SySS Security Advisory SYSS-2019-024
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-024.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc
Key ID: 0x9CE0E440429D8B96
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAl0snAwACgkQnODkQEKd
i5ZIqw//bdjzLHzqTtVHEnqFDORa1xmD9478c/57WBKW+kVH/NMupv5CwjsFEJvq
hhY/Ju1Yl+m0kz3R+orHKgUw6VTdfAiogOS/OIW+8yozUQ1lPRDhKcKe/Ai2X2kj
/A/y8mgR43AX2ddcf6tr5XeOeJHgzK3Up8y0fbkvRPQ7aszzWRYCQr4CmXtSsaAf
qxg5fzBwzVEHhDni/tBe6bCqBmV9r+4yi0L2BGV+Cxo08gbsLkAiIhUHJnLG1GbM
mKYFk7v+8JecXEIu12ZiH8Zofn9p2ePeQw/u64VsuUJ+dCJMlyLeAOgXpQiIIt8z
dNj5MS6w37b+4Dc/C7mlfDb9GPGGMyhyK5+TX8KT5LG1MVOyYocnbrD23xSRNSAi
8HhLszTyXcXwkKhsRWelvrEcxaiIsm5y0/4X2gJ/PeTkZNlOPgyD3xv7bth3jUYK
Bcb7NSgp+5FZcaG/moT1W5zL7WFj9wnFd2w4glIPVDUtgy5FQM0cdnGNr1KNvqZB
Esn3Tylbmzt7uQKuT/pZOFk1QQ8VoSnPmyWB6tyBFhTCZxfR+V+MKTIPrCFjrvpQ
D/XDcAT5gqZQHPVK3FI6T8TqF2wS5xoHfNJcPdh6r52puREImY509sze6VWUfzpp
3hfYCusmlwJye9+cbllFCiLNegSNCDBS+nDrRCCXd3QaoOYjls4=
=hm7Q
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close