FANUC Robotics Virtual Robot Controller 8.23 Buffer Overflow Vulnerability

🗓️ 17 Jul 2019 00:00:00Reported by Sebastian HamannType

zdt🔗 0day.today👁 66 Views

FANUC Robotics Virtual Robot Controller 8.23 Buffer Overflow Vulnerability, remote code execution ris

Reporter	Title	Published	Views	Family All 10
BDU FSTEC	The vulnerability of the web server of the FANUC Robotics Virtual Robot Controller software allows a hacker to execute arbitrary code.	15 Jan 202400:00	–	bdu_fstec
CNVD	FANUC Robotics Virtual Robot Controller Buffer Overflow Vulnerability	16 Jul 201900:00	–	cnvd
CVE	CVE-2019-13585	17 Jul 201918:51	–	cve
Cvelist	CVE-2019-13585	17 Jul 201918:51	–	cvelist
EUVD	EUVD-2019-5035	7 Oct 202500:30	–	euvd
NVD	CVE-2019-13585	17 Jul 201919:15	–	nvd
Packet Storm	FANUC Robotics Virtual Robot Controller 8.23 Buffer Overflow	16 Jul 201900:00	–	packetstorm
Prion	Buffer overflow	17 Jul 201919:15	–	prion
Positive Technologies	PT-2019-6416 · Fanuc Robotics · Fanuc Robotics Virtual Robot Controller	16 Jul 201900:00	–	ptsecurity
RedhatCVE	CVE-2019-13585	22 May 202507:21	–	redhatcve

Product: FANUC Robotics Virtual Robot Controller
Manufacturer: FANUC Robotics America, Inc.
Affected Version(s): V8.23
Tested Version(s): V8.23
Vulnerability Type: Stack-based Buffer Overflow (CWE-121) 
Risk Level: High
CVE Reference: CVE-2019-13585
Author of Advisory: Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

FANUC Robotics Virtual Robot Controller is an application for
programming simulated industry robots.

Due to a stack-based buffer overflow, the remote admin web server
(vrimserve.exe) is vulnerable to denial-of-service and remote code
execution attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

vrimserve.exe offers an HTTP service on TCP port 8090, which can be used
to control virtual robots and view their log files.

A buffer overflow vulnerability was discovered in the log viewer
functionality. By sending a specially crafted HTTP request to the HTTP
server, the application can be crashed causing a denial-of-service
condition.

Remote code execution may also be possible, but was not confirmed
by SySS GmbH. Gaining control over the instruction pointer (EIP) of this
32 bit application by exploiting the stack-based buffer overflow
vulnerability was successful.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH developed a proof-of-concept exploit that crashes
vrimserve.exe. It is to note that the exploit gives control over the EIP
register, which is an important prerequisite for remote code execution.

curl "http://${target_host}:8090/namedrobots/folder/dir/<1268 bytes>BBBBCCCCCCCCC"

The bytes denoted as B overwrite the EIP register.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has not yet released a security update.

It is recommended not making the remote admin web server (vrimserve.exe)
available to untrusted networks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-04-23: Vulnerability discovered
2019-05-22: Vulnerability reported to manufacturer
2019-07-15: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Manufacturer website:
    https://www.fanucamerica.com/
[2] SySS Security Advisory SYSS-2019-024
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-024.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

#  0day.today [2019-12-03]  #

17 Jul 2019 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.03788