(CVE-2017-14020) Automation Direct Multiple Software Vulnerabilities

Background:

In late July 2017, I discovered vulnerabilities in a number of AutomationDirect’s industrial control products, particularly around the programming and interaction software. These vulnerabilities can be exploited by placing a crafted DLL file in the software search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and execute arbitrary code on the targeted system.

For reasons which I will not be going into with this post, I stopped testing the applications after successfully being able to exploit seven separate products in a row. The below information outlines the coordinated disclosure details for five out of the seven software applications I found vulnerabilities in. I am sure the other two, and potentially more will be disclosed in due course.

The following AutomationDirect products are affected:

  • CLICK Programming Software (Part Number C0-PGMSW) versions 2.10 and prior
  • C-More Programming Software (Part Number EA9-PGMSW) versions 6.30 and prior
  • C-More Micro (Part Number EA-PGMSW) versions 4.20.01.0 and prior
  • GS Drives Configuration Software (Part Number GSOFT) versions 4.0.6 and prior
  • SL-SOFT SOLO Temperature Controller Configuration Software (Part Number SL-SOFT) versions 1.1.0.5 and prior

Coordinated disclosure regarding the identified vulnerability was undertaken with AutomationDirect and The US Department of Homeland Security’s ICS-CERT. ICS-CERT have published the findings under Advisory ICSA-17-313-01, and allocated CVE-ID CVE-2017-14020.

In response to the coordinated disclosure activities, AutomationDirect have released updated versions of their products to address the vulnerabilities. The new versions can be found at the following URLs:

Uncontrolled Search Path Element (CVE-2017-14029 | CVSS v3 7.8)

Summary
Product: CLICK Programming Software, C-more Programming Software, C-more Micro Programming Software, GS Drives, SL-Soft SOLO Configuration Software
Version: Multiple
Vendor: AutomationDirect (www.automationdirect.com)
CVE-ID: CVE-2017-14020.
CWE-427: Uncontrolled Search Path Element
CVSS v3: Base Score 6.7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Uncontrolled search path vulnerabilities were discovered in various AutomationDirect industrial control software products. The vulnerabilities can be exploited by placing a crafted DLL file in the software search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and execute arbitrary code on the targeted system.

Disclosure Timeline

29 July 2017
– DLL Hijacking vulnerability discovered. Further testing commenced

1 August 2017
– Emailed info@ and support@automationdirect.com requesting contact details for identified vulnerabilities

3 August 2017
– AutomationDirect provided contact details for disclosure
– Vulnerability disclosure information sent to AutomationDirect contacts (30 day advisory disclosure)
– Vulnerability disclosure information CC’d to ICS-CERT for CVE-ID and ICSA allocation
– AutomationDirect requested a 90 day diclosure period via email

4 August 2017
– Responded to AutomationDirect advising that 60 days is reasonable

8 August 2017
– Emailed ICS-CERT requesting the Ticket ID number for this case
– ICS-CERT advised Ticket ID ICS-VU-781578 has been assigned

10 August 2017
– Emailed contacts at AutomationDirect and advised them of ICS-CERT’s Ticket ID

21 August 2017
– Emailed ICS-CERT requesting an update on the case; no response

30 August 2017
– Emailed ICS-CERT requesting an update on the case

6 September 2017
– ICS-CERT advise that five out of the seven products have a solution underway

28 September 2017
– Emailed ICS-CERT requesting an update on the case

3 October 2017
– ICS-CERT advised that fixes to five products have been completed. They further advised that the other two products need a full rewrite of the code to fix the issues.
– ICS-CERT request to publish the five products as a separate advisory to the other two products. I agree to the terms.

17 October 2017
– Emailed ICS-CERT requesting an update on the case

25 October 2017
– ICS-CERT email through draft advisory for QA

1 November 2017
– ICS-CERT email me to request update on draft advisory
– Emailed ICS-CERT advising them that the draft is okay and IO am happy for it to be published.

10 November 2017
– Noticed that the advisory went live today, however incorrect information was included. Requested that ICS-CERT ammend the following as soon as possible: “The attacker needs to have administrative access…” This is incorrect… the attacker does not need to have administrative access.

14 November 2017
– ICS-CERT update advisory accordingly.

Tested versions

This vulnerability was tested on the following versions:

– CLICK Programming Software 2.10
– C-More Programming Software 6.30
– C-More Micro Programming Software 4.20.01.0
– GSoft GS Drive Configuration Software version 4.0.6
– SOLO Temperature Controller Configuration Software version 1.1.0.5

Details

Vulnerable versions of AutomationDirect’s software use an uncontrolled search path when loading resources. An attacker may leverage this vulnerability by crafting a DLL file and copying the file to a specified location on the target system.

The following AutomationDirect software is vulnerable to multiple separate DLL hijacking vulnerability conditions.

GSoft GS Drive Configuration Software version 4.0.6

According to the vendor’s product information, the GSoft GS Drive Configuration Software “allows the (AC) drives to be connected to a PC in order to create, edit, or upload/download drive configurations, archive or store multiple configurations on the PC, trend drive operation parameters, tune drive PID loops, view drive faults, and print schematic representations of drive configurations”. Further information is available at the following URL: https://www.automationdirect.com/adc/Overview/Catalog/Drives/GS_Configuration_-a-_Communications_-a-_Software

The GSoft GS Drive Configuration Software is vulnerable to two separate DLL hijacking vulnerability conditions.

AutomationDirect’s GSoft GS Drive Configuration Software allows a user to open existing or previously saved configuration files. An attacker with access to the programs default location for storing configuration files can place a crafted DLL in the search path, resulting in DLL hijacking and execution of arbitrary code on the targeted system when the product is initially installed.

By default the application uses the following default path for storing configuration files.

This location is a Public folder which is shared with all authenticated users. The following information shows the overly permissive rights which all (everyone) user’s inherit for the AutomationDirect folder.

An attacker with access to the target system can place a crafted DLL in the default configuration path, resulting in DLL hijacking and execution of arbitrary code on the targeted system when the open existing file dialog box is opened by the victim user.

The following DLLs have been individually tested and can be hijacked when the vulnerable version of AutomationDirect’s GSoft GS Drive Configuration Software is instructed to open an existing configuration file:

– iOPC2.dll

The following DLLs have been individually tested and can be hijacked when a user initially installs the vulnerable version of AutomationDirect’s GSoft GS Drive Configuration Software:

– _isuser_0x0000.dll
– cryptsp.dll
– dwmapi.dll
– iopc2.dll
– msiltcfg.dll
– ntmarta.dll
– propsys.dll
– riched32.dll
– rpcrtremote.dll
– sxs.dll
– windowscodecs.dll

CLICK Programming Software 2.10

AutomationDirect’s CLICK Programming Software 2.10 “provides the tools to program and configure the hardware for your specific needs”. Further information is available at the following URL: https://www.automationdirect.com/adc/Overview/Catalog/Software_Products/Programmable_Controller_Software/CLICK_PLC_Programming_Software

CLICK Programming Software 2.10’s Windows installer package is vulnerable to an uncontrolled search path when loading resources during the installation phase. An attacker may leverage this vulnerability by crafting a DLL file and copying the file to a specified location on the target system. An attacker with access to the location where the victim has stored the downloaded installer can place crafted DLLs in the search path, resulting in DLL hijacking and execution of arbitrary code on the targeted system when the product is initially installed.

The following DLLs have been individually tested and can be hijacked when a user initially installs the vulnerable version of AutomationDirect’s CLICK Programming Software 2.10:

– cryptsp.dll
– dwmapi.dll
– msls31.dll
– ntmarta.dll
– riched32.dll
– rpcrtremote.dll
– sxs.dll

C-More Programming Software 6.30

According to the vendor’s product information, AutomationDirect’s C-More Programming Software 6.30 is “a user-friendly, Windows-based graphical editor for configuring C-more touch panels. The software offers a robust set of user-configurable objects including pushbuttons, selector switches, meters, numeric displays and trending graphs for designing simple or complex applications”. Further information is available at the following URL: https://www.automationdirect.com/adc/Overview/Catalog/HMI_(Human_Machine_Interface)/C-more_Touch_Panels/C-more_Touch_Panels_EA9_Series/C-more_EA9_Series_Programming_Software_-a-_Cables

C-More Programming Software 6.30’s Windows installer package is vulnerable to an uncontrolled search path when loading resources during the installation phase. An attacker may leverage this vulnerability by crafting a DLL file and copying the file to a specified location on the target system. An attacker with access to the location where the victim has stored the downloaded installer can place crafted DLLs in the search path, resulting in DLL hijacking and execution of arbitrary code on the targeted system when the product is initially installed.

The following DLLs have been individually tested and can be hijacked when a user initially installs the vulnerable version of AutomationDirect’s C-More Programming Software 6.0.3:

– cryptsp.dll
– dwmapi.dll
– ntmarta.dll
– propsys.dll
– rpcrtremote.dll
– riched32.dll
– sxs.dll

C-More Micro Programming Software 4.20.01.0

AutomationDirect’s C-More Micro 4.20.01.0 software is a user-friendly, Windows-based graphical editor for configuring C-more micro panels. Further information is available at the following URL: http://support.automationdirect.com/products/cmoremicro.html

C-More Micro 4.20.01.0’s Windows installer package is vulnerable to an uncontrolled search path when loading resources during the installation phase. An attacker may leverage this vulnerability by crafting a DLL file and copying the file to a specified location on the target system. An attacker with access to the location where the victim has stored the downloaded installer can place crafted DLLs in the search path, resulting in DLL hijacking and execution of arbitrary code on the targeted system when the product is initially installed.

The following DLLs have been individually tested and can be hijacked when a user initially installs the vulnerable version of AutomationDirect’s C-More Micro 4.20.01.0:

– cabinet.dll
– cryptsp.dll
– dwmapi.dll
– ntmarta.dll
– riched32.dll
– rpcrtremote.dll
– sxs.dll

SOLO Temperature Controller Configuration Software version 1.1.0.5

The SOLO Temperature Controller Configuration Software allows operators to configure and monitor AutomationDirect’s Temperature Limit Controllers and PID Temperature Controllers. Further information is available at the following URL: https://www.automationdirect.com/adc/Overview/Catalog/Process_Control_-a-_Measurement/Temperature_-z-_Process_Controllers

Vulnerable versions of the SOLO Temperature Controller Configuration Software use an uncontrolled search path when loading resources. An attacker may leverage this vulnerability by crafting a DLL file and copying the file to the location where the ADC1105.exe executable resides.

AutomationDirect does not provide a windows installer package for the SOLO Temperature Controller Configuration Software, only the standalone executable. As such, an attacker must be able to access the location where the victim user has stored the ADC1105.exe executable.

Not all DLL files are able to be exploited. The following DLLs have been individually tested and can be hijacked when the program is opened:

– olepro32.dll
– dwmapi.dll

The following DLLs have been individually tested and can be hijacked when a user interacts with Open or Save dialogs within the application:

– apphelp.dll
– browcli.dll
– cryptsp.dll
– cscapi.dll
– dfscli.dll
– dhcpcsvc.dll
– dhcpcsvc6.dll
– dnsapi.dll
– linkinfo.dll
– mpr.dll
– msfte.dll
– msftedit.dll
– msi.dll
– msls31.dll
– mstracer.dll
– netutils.dll
– ntmarta.dll
– oleaccrc.dll
– rasadhlp.dll
– rpcrtremote.dll
– shdocvw.dll
– slc.dll
– srvcli.dll
– wkscli.dll
– xmllite.dll

====================
Exploit difficulty
====================

An attacker must have low privileged authenticated access to the local target system in order to exploit this vulnerability, or have the ability to social engineer the user in order to accept the malformed DLL file. An attacker can use well known and existing exploit techniques to gain access to the target system with the same privilege rights as the user running the program.

====================
Proof of Concept
====================

The following POC is for the GSoft GS Drive Configuration Software version 4.0.6 vulnerability. Follow the bouncing ball to exploit the other software packages.

———————
MessageBox PoC
———————

This PoC will display a message box when the crafted DLL is loaded by the application.

1. Create a file called iopc2.c with the following content:

2. Compile as a DLL with the following command on a linux host:

3. Copy the DLL file to C:\Users\Public\AutomationDirect\Gsoft\Configs\ and observe the DLL Hijack message box popup when attempting to open an existing configuration file from AutomationDirect’s GSoft GS Drive Configuration Software.

———————
Reverse shell PoC
———————

This PoC will result in a reverse shell connection to the target host. The attacker will inherit the same permissions as the victim user.

1. Create a DLL with a meterpreter Reverse TCP payload.

2. Create a listener for the reverse shell in metasploit:

3. With the listener ready to receive the reverse shell, copy the DLL file to C:\Users\Public\AutomationDirect\Gsoft\Configs\ and observe a reverse shell connection from the target system to the attacking host when attempting to open an existing configuration file from AutomationDirect’s GSoft GS Drive Configuration Software.