[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability
From:       xen1thLabs <xen1thLabs () darkmatter ! ae>
Date:       2019-06-20 12:08:16
Message-ID: fc1699834fad4519a9b6d7548c0e72ec () darkmatter ! ae
[Download RAW message or body]

XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability
========================================================================

Identifiers
-----------
XL-19-005
CVE-2019-7229
ABBVU-IAMF-1902003
ABBVU-IAMF-1902012


CVSS Score
----------
8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)


Affected vendor
---------------
ABB (new.abb.com)


Credit
------
xen1thLabs - Software Labs


Vulnerability summary
---------------------
ABB HMI uses two different transmission methods to upgrade its software components:

-   Utilization of USB/SD Card to flash the device
-   Remote provisioning process via ABB Panel Builder 600 over FTP

Neither of these transmission methods implement any form of encryption or authenticity checks \
against the new HMI software binary files.


Technical details
-----------------
Neither of the update mechanisms implement encryption or authentication checks on the new \
binaries of the HMI Software components. An attacker could therefore take over the HMI by \
manipulating these .dll or .exe files to execute arbitrary code on the system.

The following Windows CE ARM executable was pushed to the HMI target via FTP and replaced an \
already existing binary resulting in remote code execution.


Proof of concept
----------------
```
// Code Snippet

#pragma comment(linker, "/ENTRY:ChangedEntry /NODEFAULTLIB /SUBSYSTEM:WINDOWSCE")

void ChangedEntry()

{

printf("Remote Code Execution!");

LPCWSTR buff = L"Software Labs Remote Code Execution Proof of Concept";

LPCWSTR a = L"RCE Vuln";

MessageBox(0, buff, a, MB_OK | MB_ICONQUESTION);

}
```


Affected systems
----------------
CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior
CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior
CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior
CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior
CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior
CP651, order code: 1SAP551100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior
CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior
CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior


Solution
--------
ABB has not changed this, relying instead on password protection:
  - ABB CP635 HMI -  \
https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch
                
  - ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch



Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]