An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
WAGO PFC 200 03.03.10(15)
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-269 - Improper Privilege Management
WAGO is a manufacturer of programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing, and building management.
The WBM (Web-Based Management) application provides configuration and customization to the user. WAGO documentation states that the web users are isolated from the Linux system users on the device,
The PFC 200 750-8206 user manual draws a clear distinction between the WBM and the Linux system users. Section 18.104.22.168.2 WBM User Group states:
WBM has its own user administration system. The users in this system are isolated from the other user groups in the system for security reasons.
This vulnerability allows an attacker to gain root privileges on the device from the WBM admin user.
The software upload functionality of WBM allows the web-admin user to upload a software package and activate the software in the opkg
.ipk format. The file structure of an
.ipk file is relatively simple, and provides no integrity checks such as code signing for the software contained in the package. Below describes the contents of an
|-- control | |-- control | |-- postinst | |-- preinst | |-- prerm |-- data | |-- usr | | -- bin | | -- example_binary | -- lib | -- systemd | -- system | -- example_package.service |-- debian-binary
When the user activates the software package, that executes a shell script on the device called
activate_download. The code excerpt below shows on line
109 that the package install/activate utility
opkg is executed with root permissions:
095: update-script ) if [ "install" = $action ]; then 096: #echo "activate" $path$filename "for update-script" 097: sudo /usr/bin/opkg install "$path$filename" > /dev/null 2> /dev/null 098: 099: if [ $? != $SUCCESS ]; then 100: 101: status=$SHELL_ERROR 102: ReportError $status "(/usr/bin/opkg install $path$filename)" 103: SetLastError "Error while execution" 104: fi 105: fi 106: #force overwrite 107: if [ "force" = $action ]; then 108: #echo "force-overwrite" $path$filename "for update-script" 109: sudo /usr/bin/opkg install --force-overwrite --force-reinstall --force-downgrade "$path$filename" > /dev/null 2> /dev/null
opkg utility is executed with root permissions, any of the scripts within the
control portion of the package are also executed with root permissions. Additionally, the attacker can
force the activation which means that the installed package can overwrite data from other packages. Forcing the activation gives an attacker the ability to overwrite system services with attacker controlled code.
2020-02-11 - Vendor Disclosure
2020-02-12 - Vendor acknowledged
2020-05-06 - Talos follow up with vendor
2020-05-07 - Vendor requested disclosure extension; Talos granted extension
2020-06-10 - Public Release
Discovered through discussions between WAGO and Cisco Talos.