what you don't know can hurt you

FANUC Robotics Virtual Robot Controller 8.23 Path Traversal

FANUC Robotics Virtual Robot Controller 8.23 Path Traversal
Posted Jul 16, 2019
Authored by Sebastian Hamann

FANUC Robotics Virtual Robot Controller version 8.23 suffers from a path traversal vulnerability.

tags | exploit
advisories | CVE-2019-13584
MD5 | e58d74e82f6894cd3957246d3cb268c5

FANUC Robotics Virtual Robot Controller 8.23 Path Traversal

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-025
Product: FANUC Robotics Virtual Robot Controller
Manufacturer: FANUC Robotics America, Inc.
Affected Version(s): V8.23
Tested Version(s): V8.23
Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2019-05-22
Solution Date: ?
Public Disclosure: 2019-07-15
CVE Reference: CVE-2019-13584
Author of Advisory: Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

FANUC Robotics Virtual Robot Controller is an application for
programming simulated industry robots.

Due to an insufficient validation of user input, the HTTP service of
the application is vulnerable to path traversal attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

vrimserve.exe offers an HTTP service on TCP port 8090, which can be used
to control virtual robots and view their log files.

A path traversal vulnerability was discovered in the log viewer
functionality.

By sending a specially crafted HTTP request to the web server, files and
directories that match the pattern "*.*" can be listed anywhere on the
filesystem. Furthermore, the contents of files named "logfile.txt" can
be read.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The string "..%5C" can be used to access the parent directory.

Therefore, by accessing a URL similar to the following, it is possible
to obtain a list of files (and directories with a . in their name) in
the root directory of the C:\ partition (or another partition, depending
on the software installation).

http://${target_host}:8090/namedrobots/folder/dir/..%5C..%5C..%5C..%5C..%5C..%5C..%5C../

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has not yet released a security update.

It is recommended not making the remote admin web server (vrimserve.exe)
available to untrusted networks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-04-23: Vulnerability discovered
2019-05-22: Vulnerability reported to manufacturer
2019-07-15: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Manufacturer website:
https://www.fanucamerica.com/
[2] SySS Security Advisory SYSS-2019-025
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-025.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc
Key ID: 0x9CE0E440429D8B96
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAl0snBMACgkQnODkQEKd
i5bTGw/+P/fk4GBXrn8w3WmnyE+ZGwS8PtCFjRSqYQXo1k49l80TBKDYPEtkjZyS
l6jHSjKkkG5Lq6gPaHIh+2pbz7SZt1KUMgKbVJvpv2wGIsPHaRIilsTZS9mp/Izr
VE6x//BJcDx2UhDJNSQfUwZsCt7FipJLZjOlp9omMU4UPCg3bIlNIVNQCiRQPi98
QZZSDkdzbxvGUfUbEeqIwHUDf7uPjwFV8gCzMW+avrnbt29iyofMmmnTTJmJiDkG
weCOR1CZ25pWV1DSYCvTebnWPxCl51t2N2TFqr5Xs/I56j+VjL5q15tRn/pSDa8H
U4zrBB32pjJDvkIFmoZHSCBFB6VOlfRMSgL6JPgnefd04nLLhzDg4Wkkjp4pz4Jx
gEhpI7GFH1rt+rRnqKdV++kKG0IgRAE/GzUCLza1S4AwXwd1m+kNXyz1NKkcbdz7
hyeI5uGigryee/8/frpqeUzbSA/GSylAzvtl+25ZPqyYbWmr4QNF/lMIPRIkZS+6
7fKG7jWLyLzL7MS9c0flZuawBOO9CKtPwQwpvX9aWkmzyUWhY/3D38oZU0L+oBAo
p16UFGQPLoYTBU9YOQA6kg1gxOU6+XLO2xpJtgyUIG6KbgZiLdT8nWD9z9HSMeD9
9fWrKqAZzqK1UjVFDspbnqlJFtVOB0Zt+myu5/3sBmgqjo3LucQ=
=X9vR
-----END PGP SIGNATURE-----


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    8 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close