Moderate
CVE-2020-10245
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-10245
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityLow
Technical Analysis
The following analysis is based on CODESYS 3.5.15.20:
- Installer file:
CODESYS 3.5.15.20.exe
, SHA-1b26884d2a4ded94e80d49eaaef863250fcf4684e
- Library file:
CmpWebServerHandlerV3.dll
, SHA-1a04f572029b22defdf4f92e72d93d1017b8d9211
CODESYS v3 Web Server is vulnerable to a heap-based buffer overflow which can be triggered by an unauthenticated attacker with a specially crafted HTTP request. The vulnerability is due to an integer overflow. This can be used by an attacker to overwrite the heap buffer directly following the under-sized allocation. The web server is only present when a web-based visualization has been configured by the operator.
The vulnerable overwrite occurs in a call to CMUtlSafeMemCpy
from CmpWebServerHandlerV3+3a16
. This can be used to corrupt the following heap structure, however a crash occurs 2 stack frames up form this within the same request atCmpWebServerHandlerV3+14ac
. This is due to a call to memcpy
use the original size field without the overflow operation applied to it. Due to the nature of integer overflow, this value is very high, typically 0xffffffff
(though any value -92 / 0xffffffa4 through -1 / 0xffffff could be used to trigger the overflow.
There are two branches that could be taken to avoid this condition for reliable code execution:
CmpWebServerHandlerV3+146e
— This branch is based on the return value from the previous function call and is boiled up from the overwrite operation. This branch can not be used while still trigger the overwrite.
CmpWebServerHandlerV3+1498
— This branch could potentialy be used if the return value fromCmpWebServer+6bc0
could be forced to be 0. This path warrants further analysis.
Without avoiding the memcpy, reliable code execution seems unlikely due to the nature of the vulnerability. Typically heap overwrites require manipulation of the heap that would not be possible if the server crashes after the overwrite while processing the HTTP request. While most modules loaded into the process have ASLR available, there are a small handful of application-specific ones that do not that could be viable candidates for use in a ROP chain.
Successful exploitation would yield code execution within the context of the CODESYSControlServer.exe process which, in PLC development scenarios at least, runs with user privileges.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- codesys
Products
- control for beaglebone,
- control for empc-a/imx6,
- control for iot2000,
- control for linux,
- control for pfc100,
- control for pfc200,
- control for plcnext,
- control for raspberry pi,
- control rte,
- control runtime system toolkit,
- control win,
- embedded target visu toolkit,
- hmi,
- remote target visu toolkit
References
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: