Cookie Consent by Free Privacy Policy Generator 📌 Performing SQL Backflips to Achieve Code Execution on Schneider Electric’s EcoStruxure Operator Terminal Expert at Pwn2Own Miami 2020

🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security



📚 Performing SQL Backflips to Achieve Code Execution on Schneider Electric’s EcoStruxure Operator Terminal Expert at Pwn2Own Miami 2020


💡 Newskategorie: Hacking
🔗 Quelle: thezdi.com

The inaugural Pwn2Own Miami contest was held in January at the S4 Conference and targeted Industrial Control System (ICS) products. At the contest, the Claroty Research team chained two vulnerabilities to achieve code execution on Schneider Electric’s EcoStruxure Operator Terminal Expert software, which earned them $25,000 and 25 points towards Master of Pwn. Now that patches are available from the vendor, they have graciously provided the following writeup and demonstration video. Special thanks go out to the folks at Schneider Electric for fixing the issues swiftly.


This post describes a chain of two vulnerabilities found by Claroty Research’s Amir Preminger and Sharon Brizinov. These bugs were put to use in ZDI's Pwn2Own Miami competition in January. The vulnerabilities described are present in Schneider Electric’s EcoStruxure Operator Terminal Expert, version v3.1.100.267 (SP 1) and prior (formerly known as Vijeo XD). 

The default configuration is exploitable by luring a victim into opening (double-clicking) an EcoStruxure Operator Terminal Expert software project file. The exploit will trigger code execution in the context of the application. The attack relies on chaining the two vulnerabilities described below. This blog describes the vulnerability details in the order they were discovered, followed by a list of the exploitation steps necessary to chain them and achieve command execution. Here’s a quick video of these bugs in action:

Technical Details

EcoStruxure Control Terminal Expert is a software environment for designing graphical user interfaces for Human Machine Interface (HMI) devices. These are user interfaces used to control the operation of programmable logic controllers (PLCs) in industrial deployments.

Figure 1 - Designing a water-flow control with EcoStruxure Control Terminal Expert. Image taken from Schneider’s tutorial

Figure 1 - Designing a water-flow control with EcoStruxure Control Terminal Expert. Image taken from Schneider’s tutorial

All the project information, including various settings and information about the graphical components, are saved to an EcoStruxure Control Terminal Expert project file with a .VXDZ suffix. Behind the scenes, the .VXDZ project file is a zipped directory with different files that contain all the information needed by the program to restore the project so the engineers can continue their work at a later time. There are a few types of files within the project file:

.db: SQLite3 database files which include various project configurations and settings.

.inf/.dat: JSON files intended to store data and settings. For example, each screen and its graphical components is represented in JSON.

Figure 2 - Project directory

Figure 2 - Project directory

When an engineer opens a project file, the zipped directory will be extracted into a temporary directory under the following path:

C:\users\USER\AppData\Local\EcoStruxure\Temp\Schneider\CURRENT_VERSION_FULL\GUID\ProjectFiles

For future reference, we marked in red the components in the path that are environment specific. Also, shown in orange is the GUID, which is generated randomly every time a project is being opened, even if the project was already opened previously. This means that this path cannot be predicted ahead of time because it depends on the current logged-on user, the specific current version name, and the one-time randomly generated GUID. For example, here is a valid path which was generated when we opened a project file:

C:\Users\Administrator\AppData\Local\EcoStruxure\Temp \Schneider\Imagine3.1ServicePack\A1A98F0B-9487-41B3-84A2-2195ECAA11F5\ProjectFiles

Furthermore, the .NET zip library that was used prevented any path traversal attempts, and so the extraction was limited to the randomly generated directory only.

Advanced Features

As in any security research, we try to get familiar with the product and look for esoteric/advanced features that probably were not inspected in-depth by the vendor. After playing with the EcoStruxure Control Terminal Expert a little, we discovered a feature called “Drivers.” Since HMIs are smart screens that present data collected from field controllers within the factory, they must have a query functionality to obtain data from the PLCs. To accomplish this, Schneider includes a mechanism that adds the ability to add a vendor-specific driver to the project that is capable of querying the PLC to obtain the required data. There are many different models of PLCs, and each communicates over its own protocol. Because of this, Schneider included multiple drivers that engineers can choose from depending on the PLC they need to integrate with.

Figure 3 - Driver is a component that helps the HMI to communicate with the required control equipment (PLCs). There are many different drivers for every vendor and their specific equipment (ecosystem, protocol stack, etc).

Figure 3 - Driver is a component that helps the HMI to communicate with the required control equipment (PLCs). There are many different drivers for every vendor and their specific equipment (ecosystem, protocol stack, etc).

All the information regarding which drivers a specific project file is using resides in an SQLite3 database file named DriverConfig.db and can be found inside the project directory. We added a new driver to our project and checked the DriverConfig.db file. Inside, there are three tables:

Driver_X: empty table.
Driver_X_Configuration_X: details about the driver, such as settings and metadata. This includes the driver/module name which will be loaded.

Figure 4 - DriverConfig.db contents

Figure 4 - DriverConfig.db contents

Driver_X_Equipment_X: details about the PLC that the HMI will communicate with. This includes information about the PLC, such as IP address, model type, protocol, and more.

X represents the driver index, and since we added just a single driver, in our case X is 0.

Using a .NET reflector, we investigated the Intermediate language (IL) code and quickly discovered that the ModuleName field is actually the driver DLL that will get loaded from a predefined directory and handle the communication between the HMI and the PLC. For example, if we have a PLC from Rockwell Automation, we would need to load the Rockwell driver, which communicates with PLC via EtherNet/IP + CIP protocols. To achieve this, the driver that will be loaded is the RockwellEIP.dll driver. This will be specified in the ModuleName column (field) of the Driver_0_Configuation_0 table, under the DriverConfig.db SQLite3 database file in our project.

Figure 5 - SQLite3 viewer with the DriverConfig.db database opened. The ModuleName field is the name of the driver DLL that will get loaded and handle the communication between the HMI and the PLC

Figure 5 - SQLite3 viewer with the DriverConfig.db database opened. The ModuleName field is the name of the driver DLL that will get loaded and handle the communication between the HMI and the PLC

Bug No. 1: Path Traversal to Get Load DLL Primitive

To better understand how information is extracted from the DriverConfig.db database, we went down a rabbit hole: the connection to DriverConfig.db. We can see that the code queries and extracts all the properties from the Driver_x_configuration_0 table. It then instantiates a new Driver object with the ModuleName field set according the corresponding value found within the table. Finally, it loads the appropriate driver DLL file using the path specified by the ModuleName field.

Since the database, including the ModuleName field, is under our control, we can provide a custom ModuleName with some ../../../ characters to navigate away from the application-defined directory that contains the legitimate drivers. This is what we did, and we were able to load arbitrary DLLs from the system.

Figure 6 - We changed the ModuleName field to ../../../../claroty.dll and monitored the system using procmon

Figure 6 - We changed the ModuleName field to ../../../../claroty.dll and monitored the system using procmon

However, for our attack to be successful, there are two conditions that must be met:

  1. If a file named Driver.xml is not present next to the about-to-be-loaded DLL, the DLL won’t get loaded.
  2. The loaded DLL must be located within a directory of the same name.

For example, if we are changing the ModuleName to simply Claroty, the software will go to the predefined drivers directory at C:\Program Files\Schneider Electric\EcoStruxure Operator Terminal Expert 3.1 Service Pack\Drivers\Drivers, look for a directory named Claroty, and then search inside the directory for Claroty.dll and Driver.xml. If everything is found, the DLL inside will be loaded, in this case, C:\Program Files\Schneider Electric\EcoStruxure Operator Terminal Expert 3.1 Service Pack\Drivers\Drivers\Claroty\Claroty.dll.

We achieved an arbitrary load DLL by directory traversal and that’s great. However, now the question is how can we deliver our own DLL that will get executed?

Well, we also have an “arbitrary file write” primitive, to a certain extent. Recall that our project file is a zipped container with files and directories. We can add our files and directories and then repack the project file again. When the software opens the project file and extract all the files, our extra files will be extracted as well (to the temporary directory) with the rest of the files. The only problem remains is how can we know ahead of time where our files will get extracted to, so that we can set the path in the ModuleName attribute under the DriverConfig.db database.

Let’s recap: We can use the directory traversal bug to escape the normal driver's directory, and we can also drop some files and directories to the hard disk when our project file gets extracted. However, the files are extracted to a randomized temporary directory that we cannot guess ahead of time. Knowing everything before isn’t possible because the GUID is generated randomly every time.

Bug No. 2: Improper Sanitation Causes Information Leak of Sensitive Data

We pondered these questions for a long time until we came up with a solution. The solution came from an unexpected area: SQLite magic tricks! We used SQL pragma and SQL views database features to generate in real-time the full path of the extracted directory. Hence, we could lead Terminal Expert directly to our malicious DLL. We were able to do that because the Terminal Expert software loads the database provided in the project file, which under our control, and queries the tables with no proper sanitations on the data.

What is PRAGMA?

The PRAGMA statement is an implementation-dependent SQL extension. It can be used to modify the operation of the SQLite library or to query the SQLite library for internal (non-table) data. For example, the pragma database_list command will return the list of currently attached databases.

SELECT file FROM pragma_database_list produces the full path of the currently loaded database:

Figure 7 - Showing the full path of the currently loaded database

Figure 7 - Showing the full path of the currently loaded database

This means that we can generate the full path to the database after it was loaded in real time. Again, this is done after the database has been dropped to the newly-created temporary directory with the random path. Now we only needed a way to take the answer of this query and insert it into the ModuleName attribute that’s about to be queried by the software.

What is VIEW?

To achieve this, we used a not-so-commonly known feature of databases: VIEW. In databases, a view is a result set of a stored query. In other words, a view is like a dynamically created table that is being generated in real-time upon a client’s query. When the client queries a view, behind the scenes, the database queries the actual table defined for the view, reorganizes the resulting data according to the view’s settings, and finally outputs the complete result back to the client. The entire process is transparent to the client. From the client’s perspective, it appears that it is querying a regular table found within the database.

Figure 8 - Database VIEW diagram and our abstract plan to influence the query in real-time

Figure 8 - Database VIEW diagram and our abstract plan to influence the query in real-time

In our case, the client is the EcoStruxure Operator Terminal Expert software that queries the drivers database to obtain the ModuleName attribute so that it can load the driver DLL. Our plan was to modify the ModuleName in real-time after the database has been extracted to its temporary location, so the ModuleName will contain the actual path to our database. 

1+2 = RCE: Glue Everything Together to Achieve Code Execution

In our project file, we will prepare a directory named ClarotyModule. Inside there will be two files:

Driver.xml
ClarotyModule.dll

We will prepare the DriverConfig.db as follows:

  1. We will rename the original Driver_0_Configuration_0 table to Driver_0_Configuration_0_ORIG.
  2. We will create a VIEW table named Driver_0_Configuration_0.

When the client queries the “original” table Driver_0_Configuration_0, it will actually query our new VIEW table. Upon querying the ModuleName field, we set the internal processing for the VIEW table to return the result of SELECT file FROM pragma_database_list with some modification to compose the proper directory traversal syntax. In the way we can navigate upwards and downwards in the folder structure until we land in the current temporary directory where our payload DLL is located.

Figure 9 - Specifically crafting the driver database so it will include the path to our DLL in real-time

Figure 9 - Specifically crafting the driver database so it will include the path to our DLL in real-time

Finally, we repack everything into a single VXDZ project file. When the victim double-clicks the file, our DLL will get loaded and our code will be executed:

Figure 10 - Our POC in action - upon opening the project file our code will get executed

Figure 10 - Our POC in action - upon opening the project file our code will get executed

Conclusion

We took advantage of the way EcoStruxure Operator Terminal Expert reads a given project file, and by performing some SQL backflips, we were able to lead the software into loading our own provided DLL, producing arbitrary code execution upon opening a project file. Schneider Electric patched these bugs and assigned them CVE-2020-7494 and CVE-2020-7496.


Thanks again to Amir and Sharon for such a thorough write-up of these bugs. This was their first time at a Pwn2Own event, and we hope to see more of their work in the future. Until then, follow the team for the latest in exploit techniques and security patches.

...



📌 Medium CVE-2020-7493: Schneider-electric Ecostruxure operator terminal expert


📈 74.41 Punkte

📌 Schneider Electric EcoStruxure Operator Terminal Expert privileges management


📈 71.84 Punkte

📌 CVE-2022-41666 | Schneider Electric EcoStruxure Operator Terminal Expert signature verification (SEVD-2022-284-01)


📈 71.84 Punkte

📌 EcoStruxure Operator Terminal Expert up to 3.1 SP1 Project File Code Execution directory traversal


📈 60.69 Punkte

📌 Details on Two CVEs used at Pwn2Own Miami to achieve code execution on the Triangle MicroWorks SCADA Data Gateway


📈 54.75 Punkte

📌 Medium CVE-2020-7496: SE Ecostruxure operator terminal expert


📈 54.4 Punkte

📌 Schneider Electric EcoStruxure Control Expert PLC Simulator code download


📈 53.93 Punkte

📌 Schneider Electric EcoStruxure Geo SCADA Expert 2019/2020 Virtual ViewX insufficiently protected credentials


📈 52.62 Punkte

📌 Schneider Electric EcoStruxure Geo SCADA Expert 2020 unknown vulnerability


📈 52.62 Punkte

📌 EcoStruxure Operator Terminal Expert up to 3.1 SP1 directory traversal


📈 51.83 Punkte

📌 EcoStruxure Operator Terminal Expert up to 3.1 SP1 Project File Argument Injection privilege escalation


📈 51.83 Punkte

📌 EcoStruxure Operator Terminal Expert up to 3.1 SP1 Project File directory traversal


📈 51.83 Punkte

📌 EcoStruxure Operator Terminal Expert/Pro-face BLUE Ethernet Download input validation


📈 51.83 Punkte

📌 Schneider Electric EcoStruxure Control Expert PLC Simulator unusual condition


📈 50.04 Punkte

📌 Schneider Electric EcoStruxure Control Expert PLC Simulator excessive authentication


📈 50.04 Punkte

📌 Schneider Electric EcoStruxure Control Expert PLC Simulator authorization


📈 50.04 Punkte

📌 Schneider Electric EcoStruxure Control Expert PLC Simulator buffer overflow


📈 50.04 Punkte

📌 Schneider Electric EcoStruxure Control Expert/Unity Pro write-what-where condition


📈 50.04 Punkte

📌 CVE-2023-5986 | Schneider Electric EcoStruxure Power Monitoring Expert redirect (SEVD-2023-318-02)


📈 50.04 Punkte

📌 CVE-2023-6409 | Schneider Electric EcoStruxure Control Expert Project File hard-coded credentials (SEVD-2024-044-01)


📈 50.04 Punkte

📌 Schneider Electric EcoStruxure/SmartStruxure access control [CVE-2020-7547]


📈 43.83 Punkte

📌 Schneider Electric EcoStruxure/SmartStruxure access control [CVE-2020-7545]


📈 43.83 Punkte

📌 Pwn2Own Miami – Bringing ICS into the Pwn2Own World


📈 43.2 Punkte

📌 EcoStruxure Data Center: Schneider Electric präsentiert neue Lösungen für hybride IT-Infrastrukturen


📈 41.26 Punkte

📌 Schneider Electric EcoStruxure Building Operation WebStation up to 3.1 Web Page Generation cross site scripting


📈 41.26 Punkte

📌 Schneider Electric EcoStruxure Building Operation Enterprise Server Installer unquoted search path


📈 41.26 Punkte

📌 Schneider Electric EcoStruxure Building Operation WebReports up to 3.1 Web Page Generation cross site scripting


📈 41.26 Punkte

📌 Schneider Electric Patches Vulnerabilities in Modicon, EcoStruxure Products


📈 41.26 Punkte

📌 Schneider Electric fixes DoS flaws in Modicon, EcoStruxure products


📈 41.26 Punkte











matomo