ABB HMI uses outdated software components that are statically linked into the firmware files and service binaries. These components have documented vulnerabilities and should be updated and replaced. It was possible to identify severally outdated OpenSSL (version 0.9.8g) and ABYSS HTTP (version 0.4) server components.
cad7c2fbbae341fd60776b4bb48d4026c7c1d00b91347c7ecd5ebdd509988332Xlight FTP version 3.9.3.2 SEH buffer overflow exploit with egghunter and ROP.
8a25a3e8400b103e1968bb06bba284c8aee75861e8f8d35933431637c668ae69Xlight FTP version 3.9.3.1 suffers from a buffer overflow vulnerability.
3dabb6c449afa7a3c575affa67b35587c650c44ef61038914bd7c28eaba98ea7xls2csv version 0.95 suffers from three overflow, one malloc fail, one memory leak, and two null pointer dereference vulnerabilities. Proof of concept code and ASAN analysis is included.
402ac84fc47b7d4da1da0a322e73a447648bd172a8f26bd149008ed8d2e4839eManageEngine AssetExplorer versions prior to 6.5 (6503) suffer from an authenticated remote command execution vulnerability.
78e2dfe15fe4ac8812878531114733d90bacff83962512be4ff408289bef63d6The ManageEngine Asset Explorer windows agent suffers form a remote code execution vulnerability. All versions prior to 1.0.29 are affected.
cad8acf833ae1fc01c1aff9970f2a1ebe51e3dedd74f0abacbf0957e483c2741ManageEngine DataSecurity Plus versions prior to 6.0.1 and ADAudit Plus versions prior to 6.0.3 suffer from an authentication bypass vulnerability.
4fdd0a374d4602e83df4826d1fa9df4688afc640985f07e5c06d6e72891299a4ManageEngine DataSecurity Plus versions prior to 6.0.1 and ADAudit Plus versions prior to 6.0.3 suffers from a path traversal vulnerability that can lead to remote code execution.
60bdf17fd56c9fb381132939686a98b99f6b36dbdbb84bcc1d07a89ee5e7f57eSony BRAVIA Smart TVs suffer from multiple denial of service vulnerabilities.
fbc4f49cf917451119e1ccf1c0315f0acf3592defffddafa87db9297f8bc2e4aThe IDAL HTTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server. The IDAL HTTP server does not safely handle username or cookie strings during the authentication process. Attempting to authenticate with the username "%25s%25p%25x%25n" will crash the server. Sending "%08x.AAAA.%08x.%08x" will log memory content from the stack.
2710131973cb651b312b3b4490bb6638b5ec8ddf6b94183de3c0860cb2228091The IDAL HTTP server is vulnerable to a stack-based buffer overflow when receiving a large host header in a HTTP request. The host header value overflows a buffer and overwrites the Structured Exception Handler (SEH) address with a larger buffer. An unauthenticated attacker can send a Host header value of 2047 bytes or more to overflow the host headers and overwrite the SEH address which can then be leveraged to execute attacker controlled code on the server.
2421624e7ad840181ca84c4621cdcea0f08c090f97ea23834ea7b42bf7a3e813The IDAL HTTP server CGI interface contains a URL, which allows an unauthenticated attacker to bypass authentication and gain access to privileged functions. In the IDAL CGI interface, there is a URL (/cgi/loginDefaultUser), which will create a session in an authenticated state and return the session ID along with the username and plaintext password of the user. An attacker can then login with the provided credentials or supply the string 'IDALToken=......' in a cookie which will allow them to perform privileged operations such as restarting the service with /cgi/restart.
2617e6ac047295c7fb8c7aca613dea0e8f19f61ec746d1002bff8329b0e82b21ABB HMI fails to perform any signature validation checking during two different transmission methods for upgrade.
39d7cecad6807940c328851d93368e198e19bde1cf6dc40359be5823c04e00baThe IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.
97f45ac950dcf506a57f347833ae16de5edfa742a6d69f781cb6a6095d7d3ef0The affected ABB components implement hidden administrative accounts used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI.
641a46252f672912e5381d2076081a87e7c263f215b0495b1012cb8757b1ddd0The IDAL FTP server fails to ensure that directory change requests do not change to locations outside of the FTP servers root directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory with "cd ..". An authenticated attacker can traverse to arbitrary directories on the hard disk and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.
00c2ac3a1ecb33776d1003c082f02f6355b49f02e6dd423c518718f20b434e76The IDAL FTP server is vulnerable to a buffer overflow where a large string is sent by an authenticated attacker that causes a buffer overflow. This overflow is handled, but terminates the process. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer causing an exception that terminates the server. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.
e9908b2bf53d554da934fea45c01279a24ea790f35632602c380884910cf6d18Xlight FTP Server version 3.9.1 suffers from a buffer overflow vulnerability.
ce8fe48cb271e4f707e4ff5f27e762d8813f9ae786c74f33dfe119db7ce3f7e0xls2csv version 0.95 suffers from a buffer overflow vulnerability.
f45d12f58b5f2634c96e4424586f21106576dcbcdb8a998dd2f15d8c1ee79b1aXlight FTP Server version 3.8.8.5 buffer overflow proof of concept exploit.
f79376c04b96ef64d71e45013448a23b12819e7f6618b4725d4b9f4c36e4b647WordPress XCloner plugin version 3.1.2 suffers from command execution and cross site scripting vulnerabilities.
a4af6fa843195d4c5bda3c72aba2e2027e9a000d41b61387a8c55e49ec7cde05Xlrstats versions 2.0.1, 2.0.2 and 2.0.3 suffer from a remote SQL injection vulnerability.
d380ed8282cd907f961e37744b7cfc00761911bc4394d3ffb5f9be01ae4ea137Xlight FTP Server version 3.5.5 suffers from multiple directory traversal vulnerabilities.
b6085a823ca16bf1e6ab1591abb8e5a42bb35ac909c54739a36ec195f7777322X-Lite SIP version 3 memory corruption heap overflow exploit that creates a malicious .wav file.
c50ee26e11632611c3f020dc3cc36a9fe173a115c1e9a643200697c32e30d0dbXlentCMS version 1.0.4 suffers from a remote SQL injection vulnerability in downloads.php.
ad05319ad8133c039b12bd170db26afcbd98db8d40d2a0d9b7e3890c6fed80a5This Metasploit module exploits a stack overflow in Xlink FTP Client 32 Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2. When a overly long FTP server response is received by a client, arbitrary code may be executed.
d80ef037eb6b2966ee8fb841b958b2aac239fab3b51d698b05bbf52b3ed3e214
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed