FANUC Robotics Virtual Robot Controller 8.23 Path Traversal Vulnerability

🗓️ 17 Jul 2019 00:00:00Reported by Sebastian HamannType

zdt🔗 0day.today👁 68 Views

FANUC Robotics Virtual Robot Controller 8.23 Path Traversal Vulnerability in HTTP Servic

Reporter	Title	Published	Views	Family All 9
BDU FSTEC	The vulnerability of the web-server of the FANUC Robotics Virtual Robot Controller software allows a hacker to circumvent existing restrictions on the name of the catalog.	12 Jan 202400:00	–	bdu_fstec
CNVD	FANUC Robotics Virtual Robot Controller Path Traversal Vulnerability	16 Jul 201900:00	–	cnvd
CVE	CVE-2019-13584	17 Jul 201918:58	–	cve
Cvelist	CVE-2019-13584	17 Jul 201918:58	–	cvelist
EUVD	EUVD-2019-5034	7 Oct 202500:30	–	euvd
NVD	CVE-2019-13584	17 Jul 201919:15	–	nvd
Packet Storm	FANUC Robotics Virtual Robot Controller 8.23 Path Traversal	16 Jul 201900:00	–	packetstorm
Prion	Directory traversal	17 Jul 201919:15	–	prion
RedhatCVE	CVE-2019-13584	22 May 202504:24	–	redhatcve

Product: FANUC Robotics Virtual Robot Controller
Manufacturer: FANUC Robotics America, Inc.
Affected Version(s): V8.23
Tested Version(s): V8.23
Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2019-05-22
Solution Date: ?
Public Disclosure: 2019-07-15
CVE Reference: CVE-2019-13584
Author of Advisory: Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

FANUC Robotics Virtual Robot Controller is an application for
programming simulated industry robots.

Due to an insufficient validation of user input, the HTTP service of
the application is vulnerable to path traversal attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

vrimserve.exe offers an HTTP service on TCP port 8090, which can be used
to control virtual robots and view their log files.

A path traversal vulnerability was discovered in the log viewer
functionality.

By sending a specially crafted HTTP request to the web server, files and
directories that match the pattern "*.*" can be listed anywhere on the
filesystem. Furthermore, the contents of files named "logfile.txt" can
be read.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The string "..%5C" can be used to access the parent directory.

Therefore, by accessing a URL similar to the following, it is possible
to obtain a list of files (and directories with a . in their name) in
the root directory of the C:\ partition (or another partition, depending
on the software installation).

http://${target_host}:8090/namedrobots/folder/dir/..%5C..%5C..%5C..%5C..%5C..%5C..%5C../

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has not yet released a security update.

It is recommended not making the remote admin web server (vrimserve.exe)
available to untrusted networks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-04-23: Vulnerability discovered
2019-05-22: Vulnerability reported to manufacturer
2019-07-15: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Manufacturer website:
    https://www.fanucamerica.com/
[2] SySS Security Advisory SYSS-2019-025
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-025.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

#  0day.today [2019-12-04]  #

17 Jul 2019 00:00Current

5.4Medium risk

Vulners AI Score5.4

EPSS0.00913