===================================================================== BEGIN Foofus.net Security Advisory: foofus-20120817 BEGIN ===================================================================== Title: IOServer "Root Directory" Trailing Backslash Web Server Vuln Allows: Arbitrary File Access, Directory Listing, Directory Traversal CVSS Base / Temporal / Overall Scores: 7.8 / 6.4 / 6.4 Advisory Version: 2 (first publicly released version is 2) Advisory Release Date: 2012-08-17 Advisory Last Updated: 2012-08-17 Vendor: IOServer Pty Ltd. http://www.ioserver.com/ Affected Product: IOServer 1.0.18.0 (and earlier?) Issue Status: fixed version and workarounds available Link: http://www.foofus.net/?page_id=616 ===================================================================== 1. Summary == ======= IOServer is a piece of industrial control software that runs on Windows. It contains a built-in web server to support the "XML Server" feature. This web server can be abused to download any file on the file system without authentication, if the "Root Directory" setting does not contain a trailing backslash. Note that a sample configuration provided with the product exhibits a vulnerable configuration. 2. Description == =========== The vendor's web site describes IOServer thusly: "OPC (OLE for Process Control) Server for Windows NT 4.0 / 95 / 98 / ME / 2000 / 2003 / XP / 2008 / 7. Interface to multiple protocols through a single OPC Server. This software allows OPC clients such as HMI (Human Machine Interface) and SCADA (Supervisory Control and Data Acquisition) systems to exchange plant floor data with PLC (Programmable Logic Controllers)." If the "XML Server" feature is turned on (apparently by configuring a valid "Root Directory" on the "XML Server" tab), the integrated web server listens on the configured port (81 by default). If the "Root Directory" configuration value does not contain a trailing backslash, then these issues exist. A directory traversal vulnerability exists such that the web server can be tricked to serve up any file on the server, outside of the configured "Root Directory". On Windows, one common thing to do with an issue like this is to download the backup copy of the SAM, in order to retrieve password hashes and mount an offline attack on them. Any other potentially sensitive file on the server can be accessed this way as well, if the attacker knows the path to it. Note that directory traversal is only needed if you want to break out of the "Root Directory". The web server will serve up files inside the "Root Directory" just by asking it for them. This may or may not be considered a vulnerability, depending on the expectations of the administrator. Also, the web server allows directory listings in some cases, whether inside or outside the "Root Directory". Again, this may or may not be considered a vulnerability depending on expectations. Note also that the "XML Server Settings" tab contains fields for a "Read Password" and "Write Password", which are apparently intended to only restrict access to the devices via the XML web interface (they are not intended to restrict access to other content served by the web server). By default, they are set to blank. But due to their intended use of resticting device access, they do nothing to stop access to the file system as described here even if they are set to some value. 3. Proof of Concept / Steps to Reproduce == ===== == ======= = ===== == ========= Install the software and use the sample Modbus Web Server configuration from http://www.ioserver.com/mbtcp.io to get it working. This sample configuration uses the "Root Directory" value of "C:\Program Files \IOServer\Docs" (note the lack of a trailing backslash). This directory does not exist unless you install the documentation package (isodoc.exe, available from the vendor web site). You can get to a vulnerable configuration if you leave the "Root Directory" alone and install the documentation package, or just modify the "Root "Directory" value to something valid (but lacking a trailing backslash) like "C:\Program Files\IOServer". Note that the software or server may need to be restarted, then you will see a web server listening on the configured port (81 by default). Note that more recent versions of the software default to "C:\IOServer" rather than "C:\Program Files\IOServer". This does not affect the issues discussed here. To request files within the "Root Directory", just ask for them with a browser or command-line tool like wget: wget http://target-server:81/modbus.dll To get a directory listing, just ask: wget http://target-server:81/ To request files outside of the "Root Directory", use a standard directory traversal trick with a client or browser that supports it. Note that IE probably will not allow this type of malfeasance: wget http://target-server:81/.../.../.../windows/repair/sam To get a directory listing outside of the "Root Directory", ask for it with the directory traversal trick: wget http://target-server:81/.../.../.../windows/ Note that it is only this directory traversal issue that was fixed in version 1.0.19.0. Accessing files and directory listings inside the "Root Directory" is apparently intended operation. 4. Impact == ====== Unexpected arbitrary access to the file system can lead to the disclosure of sensitive information. Worst case, disclosure of the system's password hashes can lead to compromise of the passwords, and therefore, of the server. 5. CVSS Scoring == ==== ======= Using http://nvd.nist.gov/cvss.cfm?calculator&version=2 CVSS Base Score: 7.8 Impact Subscore: 6.9 Exploitability Subscore: 10 CVSS Temporal Score: 6.4 Overall CVSS Score: 6.4 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: None Availability Impact: None Exploitability: Functional exploit exists Remediation Level: Official fix Report Confidence: Confirmed Note that the CVSS calculation was based only on the directory traversal issue, since it is the most obvious and serious vulnerability addressed here. 6. Affected Products == ======== ======== IOServer 1.0.18.0 (earlier versions are also assumed vulnerable) This was downloaded from http://www.ioserver.com/driver18.exe, which was the current version as of 23 April 2012. Older versions were not available, but are assumed vulnerable. (you can check your version in the IOServer GUI using Help, About IOServer) 7. Workarounds / Solutions == =========== = ========= Ensure that the "Root Directory" value has a trailing backslash. This eliminates most of the issues, although you can still get a directory listing of the "Root Directory" itself (but not subdirs) even with this in place. Of course, limit access to the web server port to only trusted hosts/networks. Even a fixed version should probably not be exposed to the Internet or other untrusted networks. The directory traversal issue was fixed in version 1.0.19.0 (http://www.ioserver.com/driver19.exe), released on 2012-06-20. However, arbitrary file access and directory listings inside the "Root Directory" and its subdirs are still possible in this version, unless the trailing backslash is in place. Note that even with the trailing backslash, directory listing of the "Root Directory" itself is still possible. It is recommended that all three of the above actions (use the trailing backslash, limit access to trusted networks/hosts only, and upgrade to 1.0.19.0 or later) be taken in order to secure this web server as much as possible. 8. Timeline == ======== 2012-04-23: First vendor contact 2012-04-23: Vendor sends proposed fix (that was fast!) 2012-04-27: Proposed fix found incomplete, feedback to vendor 2012-05-04: Vendor sends second proposed fix 2012-05-17: Verified that second proposed fix resolves all known directory traversal issues 2012-05-17: Vendor informs that directory listing and arbitrary file access issues inside the Root Directory are intended functionality 2012-05-18: This issue put on the back burner due to urgent project; I then completely forget about it (oops, my bad) 2012-06-20: Vendor releases fixed version (1.0.19.0, aka "driver19.exe") 2012-08-08: I remember about this; recheck all information and retest current version 1.0.19.0; edits to advisory; contact vendor about public release date 2012-08-17: Public release 9. Credit == ====== hinge, hinge@foofus.net Well, actually, this vulnerability was found by Nessus, plugin ID 10297 (which looks for generic web server directory traversal issues, not specific to IOServer of course). All I did was see it in the scan results, verify it, reproduce it for testing, report it to the vendor and write this advisory. Thanks to my friends at foofus.net, and to IOServer for being very responsive and open. ===================================================================== END Foofus.net Security Advisory: foofus-20120817 END =====================================================================