CVE-2019-5104
A hard-coded encryption key vulnerability exists in the authentication functionality of 3S CODESYS Control, version 3.5.13.20. An attacker with access to communications between CoDeSyS Gateway and the end CoDeSyS device can trivially recover the password of any user attempting to log in with plain text.
3S CODESYS Control 3.5.13.20
6.2 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
3S-Smart Software Solutions CODESYS is licensed to vendors who are creating PLCs, or can be purchased directly from 3S-Smart Software Solutions for directly supported platforms. This software is used to turn any device into a soft PLC. The wide range of support allows easy adoption for industrial applications, being able to run on Windows, Linux, or even bare metal.
The hard-coded 32-byte key is used to XOR the plaintext password, with a 4 byte challenge that is incorrectly implemented. This four-byte challenge is included in all authentication packets, and due to a coding error, is reduced to a single byte perturbance every four bytes within the password. Any authentication packet that is captured can easily be used to recover the plaintext password of the user.
000888a8 54c70be3 movw r12, #0xb754
000888ac 1cc040e3 movt r12, #0x1c
000888b0 48e04be2 sub lr, r11, #0x48 {var_4c}
000888b4 0f00bce8 ldm r12!, {r0, r1, r2, r3} {data_1cb754, "zeDR96EfU#27vuph7Thub?phaDr*rUbR"} {0x5244657a} {data_1cb754[4], "96EfU#27vuph7Thub?phaDr*rUbR"} {0x66453639} {data_1cb754[8], "U#27vuph7Thub?phaDr*rUbR"} {0x37322355} {data_1cb754[0xc], "vuph7Thub?phaDr*rUbR"} {0x68707576} {data_1cb754[0x10], "7Thub?phaDr*rUbR"}
000888b8 0f00aee8 stm lr!, {r0, r1, r2, r3} {var_4c_1} {var_48_1} {var_44_1} {var_40_1} {var_3c} {var_3c} {0x5244657a} {0x66453639} {0x37322355} {0x68707576}
000888bc 0f00bce8 ldm r12!, {r0, r1, r2, r3} {data_1cb754[0x10], "7Thub?phaDr*rUbR"} {0x75685437} {data_1cb754[0x14], "b?phaDr*rUbR"} {0x68703f62} {data_1cb754[0x18], "aDr*rUbR"} {0x2a724461} {data_1cb754[0x1c], "rUbR"} {0x52625572} {data_1cb754[0x20], ""} {data_1cb754[0x20], ""}
000888c0 00c09ce5 ldr r12, [r12] {data_1cb754[0x20], ""}
000888c4 0f00aee8 stm lr!, {r0, r1, r2, r3} {var_3c_1} {var_38_1} {var_34_1} {var_30_1} {var_2c} {var_2c} {0x75685437} {0x68703f62} {0x2a724461} {0x52625572}
000888c8 0400a0e1 mov r0, r4
000888cc 00c0cee5 strb r12, [lr] {var_2c_1} {0x0}
000888d0 fac2feeb bl strlen
000888d4 018080e2 add r8, r0, #0x1
000888d8 1f0058e3 cmp r8, #0x1f
000888dc 2080a0d3 movle r8, #0x20
000888e0 020000da ble 0x888f0
...
00088940 24104be2 sub r1, r11, #0x24 {__saved_r4}
00088944 013083e2 add r3, r3, #0x1
00088948 021081e0 add r1, r1, r2 {__saved_r4}
0008894c 012082e2 add r2, r2, #0x1
00088950 200052e3 cmp r2, #0x20
00088954 d100d4e0 ldrsb r0, [r4], #0x1
00088958 241051e5 ldrb r1, [r1, #-0x24]
0008895c 24e04be2 sub lr, r11, #0x24 {__saved_r4}
00088960 0020a003 moveq r2, #0
00088964 040053e3 cmp r3, #0x4
00088968 066081e0 add r6, r1, r6
0008896c 0030a003 moveq r3, #0
00088970 04005ce1 cmp r12, r4
00088974 006026e0 eor r6, r6, r0
00088978 03e08ee0 add lr, lr, r3 {__saved_r4}
0008897c 0160e5e5 strb r6, [r5, #0x1]!
00088980 edffff1a bne 0x8893c
2019-09-19 - Initial contact
2019-09-23 - Vendor Disclosure
2020-03-25 - Vendor Patched; Public Release
Discovered by Carl Hurd of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2019-0897
Previous Report
TALOS-2019-0874