Pivot! PIVOT! – Reaching Unreachable Vulnerable Code in Industrial IoT Platforms
September 13, 2018 | Mat PowellAs a researcher for the Zero Day Initiative, I’d like to say the primary reason I do what I do is to help improve the security posture of enterprise software in order to make the attackers job as complicated as possible. So, what do you do when you have a great bug and really want to leverage it to maximize your analysis of a vendor’s codebase?
Pivot.
This is the tale of CVE-2018-10589/ZDI-18-483, a command injection vulnerability in Advantech WebAccess Node that results in remote code execution in the administrative context. This vulnerability was exposed through an unprotected Remote Procedure Call (RPC) via IOCTL 0x2711 in the webvrpcs process.
Once webvrpcs completes initial processing of the data it passes the information along to the drawsrv component which will route the request to the corresponding code location for the IOCTL.
Preparing to hand off the RPC request to drawsrv
The drawsrv!DsDaqWebService contains a switch statement to process the IOCTL that it is passed.
IOCTL Control Flow
In this particular case, the application prepares the unsanitized user input and passes it along to kernel32!CreateProcessA, which ends up resulting in a calc.exe process running with high integrity.
Prepping the payload for CreateProcessA()
This is a pretty serious vulnerability, especially given that the interface is left wide open for anyone. So how can we maximize our analysis of this suite of tools? Much like Ross Geller moving a couch, we pivot. We show how this vulnerability can not only be used to execute code, but also exposes additional vulnerabilities to their software.
For example, what if we took this command injection vulnerability and decided to use it to attack previously unreachable components within the application install base? Let’s take a look at the bwaccrts.exe file located in the application’s Node directory. This executable takes the arguments passed in from the command line and processes them with the banned function call sscanf.
Parsing command-line arguments for bwacrts.exe
With this in mind, we revisit our POC and point it to this application.
Modifying the PoC
As expected, we smash the stack and overwrite the instruction pointer to obtain high integrity code execution that was reported as ZDI-18-512.
EIP overwrite
Using this technique, we were able to further expose the vendors attack surface and found more than thirty additional vulnerabilities (ZDI-18-501 – ZDI-18-525, ZDI-CAN-6292 – ZDI-CAN-6302) that ship with this software. What’s even more disturbing is the lack of Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) mitigations across this product, which makes weaponizing these bugs trivial.
Advantech delivered a patch to address this attack vector with the release of WebAccess 8.3.1. If you haven’t had a chance to evaluate it for yourself, now’s a good time to start looking. If you’re interested in learning more on RPC, I highly recommend checking out my colleague Fritz Sands’ blog that goes further down the Advantech RPC rabbit hole. The amount of research being done on Industrial IoT and SCADA systems appears to be just getting started. Considering the potential implications of security bugs in these products, I’m sure we’ll see many more as we go.
You can find me on Twitter @mrpowell and follow the team for the latest exploit techniques and security patches.
Note: An earlier version of this blog listed the root cause of the initial vulnerability as directory traversal instead of command injection. However, the directory traversal is not required. The blog has been updated to correct this information.