WAGO PFC 200 Web-Based Management (WBM) Code Execution Vulnerability

Summary

An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Tested Versions

WAGO PFC 200 03.03.10(15)

Product URLs

<https://www.wago.com/us/pfc200&gt;

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-269 - Improper Privilege Management

Details

WAGO is a manufacturer of programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing, and building management.

The WBM (Web-Based Management) application provides configuration and customization to the user. WAGO documentation states that the web users are isolated from the Linux system users on the device,

The PFC 200 750-8206 user manual draws a clear distinction between the WBM and the Linux system users. Section 4.1.2.1.2 WBM User Group states:

WBM has its own user administration system. The users in this system are isolated from the other user groups in the system for security reasons.

This vulnerability allows an attacker to gain root privileges on the device from the WBM admin user.

The software upload functionality of WBM allows the web-admin user to upload a software package and activate the software in the opkg .ipk format. The file structure of an .ipk file is relatively simple, and provides no integrity checks such as code signing for the software contained in the package. Below describes the contents of an .ipk file:

|-- control
|   |-- control
|   |-- postinst
|   |-- preinst
|   |-- prerm
|-- data
|   |-- usr
|   |   -- bin
|   |       -- example_binary
|   -- lib
|       -- systemd
|           -- system
|               -- example_package.service
|-- debian-binary

When the user activates the software package, that executes a shell script on the device called activate_download. The code excerpt below shows on line 097 and 109 that the package install/activate utility opkg is executed with root permissions:

095:       update-script )     if [ "install" = $action ]; then
096:                             #echo "activate" $path$filename "for update-script"      
097:                             sudo /usr/bin/opkg install "$path$filename" > /dev/null 2> /dev/null
098:                             
099:                             if [ $? != $SUCCESS ]; then
100: 
101:                               status=$SHELL_ERROR
102:                               ReportError $status "(/usr/bin/opkg install $path$filename)"
103:                               SetLastError "Error while execution"
104:                             fi
105:                           fi
106:               #force overwrite
107:         if [ "force" = $action ]; then
108:                             #echo "force-overwrite" $path$filename "for update-script"
109:                             sudo /usr/bin/opkg install --force-overwrite --force-reinstall --force-downgrade "$path$filename" > /dev/null 2> /dev/null

Since the opkg utility is executed with root permissions, any of the scripts within the control portion of the package are also executed with root permissions. Additionally, the attacker can force the activation which means that the installed package can overwrite data from other packages. Forcing the activation gives an attacker the ability to overwrite system services with attacker controlled code.

Timeline

2020-02-11 - Vendor Disclosure
2020-02-12 - Vendor acknowledged
2020-05-06 - Talos follow up with vendor
2020-05-07 - Vendor requested disclosure extension; Talos granted extension
2020-06-10 - Public Release