The following analysis is based on CODESYS 3.5.15.20:

• Installer file: CODESYS 3.5.15.20.exe, SHA-1 b26884d2a4ded94e80d49eaaef863250fcf4684e
  
• Library file: CmpWebServerHandlerV3.dll, SHA-1 a04f572029b22defdf4f92e72d93d1017b8d9211
  

CODESYS v3 Web Server is vulnerable to a heap-based buffer overflow which can be triggered by an unauthenticated attacker with a specially crafted HTTP request. The vulnerability is due to an integer overflow. This can be used by an attacker to overwrite the heap buffer directly following the under-sized allocation. The web server is only present when a web-based visualization has been configured by the operator.

The vulnerable overwrite occurs in a call to CMUtlSafeMemCpy from CmpWebServerHandlerV3+3a16. This can be used to corrupt the following heap structure, however a crash occurs 2 stack frames up form this within the same request atCmpWebServerHandlerV3+14ac. This is due to a call to memcpy use the original size field without the overflow operation applied to it. Due to the nature of integer overflow, this value is very high, typically 0xffffffff (though any value -92 / 0xffffffa4 through -1 / 0xffffff could be used to trigger the overflow.

There are two branches that could be taken to avoid this condition for reliable code execution:

• CmpWebServerHandlerV3+146e — This branch is based on the return value from the previous function call and is boiled up from the overwrite operation. This branch can not be used while still trigger the overwrite.
  
• CmpWebServerHandlerV3+1498 — This branch could potentialy be used if the return value from CmpWebServer+6bc0 could be forced to be 0. This path warrants further analysis.
  

Without avoiding the memcpy, reliable code execution seems unlikely due to the nature of the vulnerability. Typically heap overwrites require manipulation of the heap that would not be possible if the server crashes after the overwrite while processing the HTTP request. While most modules loaded into the process have ASLR available, there are a small handful of application-specific ones that do not that could be viable candidates for use in a ROP chain.

Successful exploitation would yield code execution within the context of the CODESYSControlServer.exe process which, in PLC development scenarios at least, runs with user privileges.