Attacker Value
Moderate
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2020-10245

Disclosure Date: March 26, 2020
CVE-2020-10245 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow.

Add Assessment

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Gives privileged accessUnauthenticated
Technical Analysis

The following analysis is based on CODESYS 3.5.15.20:

  • Installer file: CODESYS 3.5.15.20.exe, SHA-1 b26884d2a4ded94e80d49eaaef863250fcf4684e
  • Library file: CmpWebServerHandlerV3.dll, SHA-1 a04f572029b22defdf4f92e72d93d1017b8d9211

CODESYS v3 Web Server is vulnerable to a heap-based buffer overflow which can be triggered by an unauthenticated attacker with a specially crafted HTTP request. The vulnerability is due to an integer overflow. This can be used by an attacker to overwrite the heap buffer directly following the under-sized allocation. The web server is only present when a web-based visualization has been configured by the operator.

The vulnerable overwrite occurs in a call to CMUtlSafeMemCpy from CmpWebServerHandlerV3+3a16. This can be used to corrupt the following heap structure, however a crash occurs 2 stack frames up form this within the same request atCmpWebServerHandlerV3+14ac. This is due to a call to memcpy use the original size field without the overflow operation applied to it. Due to the nature of integer overflow, this value is very high, typically 0xffffffff (though any value -92 / 0xffffffa4 through -1 / 0xffffff could be used to trigger the overflow.

There are two branches that could be taken to avoid this condition for reliable code execution:

  • CmpWebServerHandlerV3+146e — This branch is based on the return value from the previous function call and is boiled up from the overwrite operation. This branch can not be used while still trigger the overwrite.
  • CmpWebServerHandlerV3+1498 — This branch could potentialy be used if the return value from CmpWebServer+6bc0 could be forced to be 0. This path warrants further analysis.

Without avoiding the memcpy, reliable code execution seems unlikely due to the nature of the vulnerability. Typically heap overwrites require manipulation of the heap that would not be possible if the server crashes after the overwrite while processing the HTTP request. While most modules loaded into the process have ASLR available, there are a small handful of application-specific ones that do not that could be viable candidates for use in a ROP chain.

Successful exploitation would yield code execution within the context of the CODESYSControlServer.exe process which, in PLC development scenarios at least, runs with user privileges.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis