Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-34605: Code Execution Vulnerabilities Found in XINJE PLC Application

A zip slip vulnerability in XINJE XD/E Series PLC Program Tool up to version v3.5.1 can provide an attacker with arbitrary file write privilege when opening a specially-crafted project file. This vulnerability can be triggered by manually opening an infected project file, or by initiating an upload program request from an infected Xinje PLC. This can result in remote code execution, information disclosure and denial of service of the system running the XINJE XD/E Series PLC Program Tool.

CVE
#sql#vulnerability#mac#windows#dos#git#rce#sap

****By Mashav Sapir | May 11, 2022******Executive Summary**

  • Team82 has uncovered two vulnerabilities in XINJE’s PLC Program Tool, an engineering workstation.
  • Version 3.5.1 is affected, and likely other versions.
  • Team82 began disclosure efforts in August 2020. More than a year later, XINJE acknowledged our disclosure in September 2021.
  • XINJE at that time refused to cooperate with Team82 and asked us to stop communication with them.
  • We extended the terms of our coordinated disclosure policy beyond 90 days to nine months before disclosing limited details today to help asset owners prioritize any mitigations.
  • An attacker may use a crafted project file to trigger these vulnerabilities.
  • Arbitrary project files may be written to a project file to gain code execution.

Engineering workstations are among the most critical operational technology (OT) assets. Engineers use these platforms to configure and maintain control system applications and devices at lower levels of the Purdue Model for industrial control systems. A threat actor who can access and use an engineering workstation as an attack vector is in position to disrupt industrial processes and cause damage that could put public safety at risk or interrupt the delivery of critical services.

Team82’s latest research is an examination of engineering workstation applications sold by XINJE, a Chinese automation company. We uncovered two vulnerabilities in the XINJE PLC Program Tool (CVE-2021-34605 and CVE-2021-34606) in v3.5.1. Team82 tested only v3.5., we believe other versions may be vulnerable too.

These flaws can be triggered by a crafted project file. An attacker can use these vulnerabilities to write arbitrary project files to a PLC and gain code execution.

Team82 is disclosing limited information today about these vulnerabilities, details of which were privately disclosed at the end of August 2021 after a year of attempting to connect with representatives of the company. The vendor was not receptive to our attempts to share technical information and collaborate on a fix and response. Finally, on Sept. 8, 2021, XINJE representatives asked that Team82 stop communication. Team82 extended the terms of its coordinated disclosure policy beyond 90 days to nine months before disclosing limited details today to help asset owners prioritize any mitigations.

Engineering Workstation Programs

XINJE’s PLC Program Tool is an engineering workstation program, used in OT environments to communicate with XINJE-produced PLCs. These devices, according to XINJE, not only in China, but in Europe, North America, Southeast Asia, and elsewhere in a number of markets, including energy, manufacturing, and engineering.

From a security perspective, gaining access to a machine containing the engineering workstation program can allow an attacker to fully meddle with PLCs and other highly sensitive OT equipment with adverse consequences. Therefore, exploiting vulnerabilities in these applications can be used by attackers as a final step toward taking full control of an OT network.

_An attacker targeting an engineering workstation could infect lower-level devices such as PLCs, sensors, or pumps._****Malicious Project Files at Heart of a Class of Vulnerabilities

Team82 has taken a special interest in a class of vulnerabilities that involve project files.

Project files are usually archive file formats that contain OLE files, SQLite databases, proprietary binary formats, text files, and directories created within engineering workstations. These programs are used by engineers to monitor, configure, and communicate with programmable logic controllers (PLCs) and other control systems.

The program logic contained in a project file governs ICS devices and oversees processes, and it also may include network configuration data and—at times—a complete OT network layout. For attackers targeting industrial networks—and many of late have been state actors—weaponized project files would likely be central to such a campaign.

When a project file is opened with an engineering station program, the program can quickly communicate with the relevant equipment. Alternatively, the OT engineer can sometimes upload the project file from a PLC, but this requires either running a network discovery tool to find the PLC’s network address (a procedure not supported by all PLCs) or manually entering the relevant network parameters. As a result, many companies opt to use project files, each including the configuration for one or more PLCs.

Vulnerabilities can be triggered by specially crafted project files composed by an attacker when opened by the engineering station program. In this scenario, an attacker could, for example, replace a legitimate file in a network share used to store the files with a crafted file that would trigger a vulnerability in the program. We discovered such vulnerabilities in the XINJE PLC Program Tool, which can allow an attacker to run arbitrary code on a vulnerable endpoint upon opening an exploited project file.

Research Environment Setup a Crucial First Step

As part of our work, we often receive requests to research proprietary protocols in order to maximize our customers’ ability to observe the traffic in their network. At times we have to support older equipment still used in critical roles in production sites, and at other times we even stumble onto equipment manufactured by smaller OT vendors.

The request we received from a customer to analyze protocols used by equipment manufactured by XINJE fell into the latter category.

Our first step was to create a lab setup; this usually requires purchasing equipment and connecting it to the relevant engineering workstation program. In some cases, even purchasing the equipment can be difficult because the vendor might no longer offer the exact models we need.

What we discovered over time is that a surprisingly wide range of OT equipment can be purchased through eBay. In many cases, once a factory changes its OT equipment, the older, used equipment winds up on eBay and can be purchased easily and shipped to your doorstep. Equipment offered by XINJE was no exception, and a variety of XINJE products can be purchased through eBay:

_Ebay listings for XINJE industrial equipment.**_ **

Once we purchased a PLC, the next step was to install it in our lab, along with a multitude of other OT equipment, and connect it to the engineering workstation program used to configure it.

_A XINJE PLC running in a lab setup._ ****Chaining Two Vulnerabilities to Load a Malicious File

Once we’ve constructed a suitable setup and finished researching the different protocols used by the equipment, we’re often asked by our customers to look for security issues with the setup.

Pointing out these issues can help users improve their security posture immediately. Responsibly reporting these vulnerabilities to the vendor, can help fix them and improve security across the entire OT space.

In XINJE’s case, we decided to focus on the engineering workstation program called XINJE PLC Program Tool. As mentioned earlier, in such cases project file vulnerabilities are of particular interest. Usually, searching for project file vulnerabilities begins with investigating the structure of the project file used by the engineering workstation program. In the case of XINJE PLC Program Tool, the relevant files are *.xdp files:

_XINJE PLC project file structures are .xdp files.**_ **

These project files can be easily identified as zip files, as indicated by the PK\x03\x04 magic, below:

And they can be extracted by almost any archive utility (e.g. 7z). What’s even more interesting, is that when the the program opens a project file, it immediately extracts it to a temporary directory located within its installation directory:

_XDPPro.exe writes several files to C:\Program Files\XINJE\XDPPro\tmp_

This behavior indicates that the program assumes it’s being executed with administrator privileges. This, in combination with the extracted file being a zip file, immediately makes one wonder whether a zip slip vulnerability (an arbitrary file-overwrite vulnerability) can be leveraged to obtain arbitrary write privileges.

Soon enough we did find a zip slip vulnerability (CVE-2021-34605), which can provide an attacker with arbitrary write privileges with the permissions of the program; in most cases these will be administrator privileges.

The next question is how to reach code execution from an arbitrary file write. Since it makes the most sense for the code to be executed right after the project file is loaded, we can check what the program is doing while opening the project file:

_XDPPro.exe attempts to load DNSAPI.dll from C:\Program Files\XINJE\XDPPro, doesn’t find it and falls back to C:\Windows\System32_

Interestingly, it’s trying to load .dll files from its local directory with LoadLibrary. When LoadLibrary doesn’t find them, it reverts to searching for them in C:\Windows\System32. Here is where we found our second vulnerability, CVE-2021-34606, a classic DLL hijacking vulnerability.

In order to create a fully-working exploit, we chained our two vulnerabilities:
Once a specially crafted malicious project file is opened by XINJE PLC Program Tool, the zip slip vulnerability will be triggered and a .dll file will be written to the program’s directory in Program Files. Later in the process of loading a new project, this DLL will be loaded instead of the real DLL (located in Windows\System32).

Once the DLL is loaded, malicious שcode is executed during its DLLMain procedure or in one of the functions imported by the program. An attacker now may gain a foothold on an OT network.

_A demonstration of Team82’s proof-of-concept exploit._ ****Wrapping Up

Despite the fact that awareness of cybersecurity has been steadily increasing in recent years in the OT world, many engineering workstation programs are still vulnerable to easily exploitable vulnerabilities.

Not all vendors are aware of the fact that project files can be weaponized by attackers as a method to take control of critical OT resources; this is true for most OT personnel as well.

In addition, many vendors still do not have well-defined interfaces for coordinated disclosure of vulnerabilities. As a result, disclosure can take an unnecessarily long time, often passing through sales and/or technical support teams without security knowledge, before reaching the teams responsible for the development of the affected products.

This was a challenging disclosure with XINJE, which thankfully is not the norm within the majority of OT vendors.

Related news

CVE-2021-38969: Security Bulletin: Vulnerability in remote support authentication affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

IBM Spectrum Virtualize 8.2, 8.3, and 8.4 could allow an attacker to allow unauthorized access due to the reuse of support generated credentials. IBM X-Force ID: 212609.

CVE-2021-39059: Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS). (CVE-2021-39059)

IBM Jazz Foundation (IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 214619.

CVE-2022-23743: ZoneAlarm Extreme Security release history official page

Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process.

CVE-2021-34605: Code Execution Vulnerabilities Found in XINJE PLC Application

A zip slip vulnerability in XINJE XD/E Series PLC Program Tool up to version v3.5.1 can provide an attacker with arbitrary file write privilege when opening a specially-crafted project file. This vulnerability can be triggered by manually opening an infected project file, or by initiating an upload program request from an infected Xinje PLC. This can result in remote code execution, information disclosure and denial of service of the system running the XINJE XD/E Series PLC Program Tool.

CVE-2022-29006: Offensive Security’s Exploit Database Archive

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Directory Management System v1.0 allows attackers to bypass authentication.

CVE-2022-29007: Offensive Security’s Exploit Database Archive

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Dairy Farm Shop Management System v1.0 allows attackers to bypass authentication.

CVE-2022-29932: CVE-2022-29932/Proof-of-Concept.md at main · Off3nS3c/CVE-2022-29932

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (File Transfer) allows an unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.

CVE-2022-29009: Offensive Security’s Exploit Database Archive

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.

CVE-2022-29977: Assertion failure in stbi__jpeg_huff_decode, stb_image.h:1894 · Issue #165 · saitoha/libsixel

There is an assertion failure error in stbi__jpeg_huff_decode, stb_image.h:1894 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.

CVE-2022-29978: FPE in sixel_encoder_do_resize, encoder.c:633 · Issue #166 · saitoha/libsixel

There is a floating point exception error in sixel_encoder_do_resize, encoder.c:633 in libsixel img2sixel 1.8.6. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted JPEG file.

CVE-2022-29318: Car Rental Management System Unrestricted File Upload + Remote Code Execution

An arbitrary file upload vulnerability in the New Entry module of Car Rental Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-29656: Wedding Management System Unauthenticated Sql Injection

Wedding Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /Wedding-Management/package_detail.php.

CVE-2022-29655: Wedding Management System Unrestricted File Upload + Remote Code Execution

An arbitrary file upload vulnerability in the Upload Photos module of Wedding Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-29316: Complete Online Job Search System Sql Injection - HackMD

Complete Online Job Search System v1.0 was discovered to contain a SQL injection vulnerability via /eris/index.php?q=result&searchfor=advancesearch.

CVE-2022-29317: Simple Bus Ticket Booking System SQL Injection - HackMD

Simple Bus Ticket Booking System v1.0 was discovered to contain multiple SQL injection vulnerbilities via the username and password parameters at /assets/partials/_handleLogin.php.

CVE-2020-19228: File upload vulnerability · Issue #1242 · bludit/bludit

An issue was found in bludit v3.13.0, unsafe implementation of the backup plugin allows attackers to upload arbitrary files.

CVE-2022-20116: Android Security Bulletin—May 2022  |  Android Open Source Project

In onEntryUpdated of OngoingCallController.kt, it is possible to launch non-exported activities due to intent redirection. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-212467440

CVE-2022-30278: CyRC Vulnerability Advisory: Reflected cross-site scripting in Black Duck Hub | Synopsys

A vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files could allow an unauthenticated remote attacker to conduct a cross-site scripting attack. The vulnerability is due to improper validation of user-supplied input to MadCap Flare's framework embedded within Black Duck Hub's Help Documentation to supply content. An attacker could exploit this vulnerability by convincing a user to click a link designed to pass malicious input to the interface. A successful exploit could allow the attacker to conduct cross-site scripting attacks and gain access to sensitive browser-based information.

CVE-2021-43094: Reporting Bugs - Documentation - OpenMRS Wiki

An SQL Injection vulnerability exists in OpenMRS Reference Application Standalone Edition <=2.11 and Platform Standalone Edition <=2.4.0 via GET requests on arbitrary parameters in patient.page.

CVE-2022-28110: SQL Injection | OWASP Foundation

Hotel Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at the login page.

CVE-2021-42581: fix: prototype poisoning (CWE-915) by Marynk · Pull Request #3192 · ramda/ramda

Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907