Critical RCE vulnerability in CODESYS


CODESYS, developed by the German company Smart Software Solutions (3S), is a software suite used by automation professionals as a development environment based on the IEC 61131-3 standard for programming control programs that are often used in industrial environments. are found, used. This product is a platform-independent development environment that is compatible with PLC hardware and many other automation components.
A critical flaw has recently been identified in the CODESYS web server that could allow a remote attacker to cause a server crash or DoS or execute code. This flaw, which is a stack-based buffer overflow[1], has a score of 10 out of 10 on the CVSS v.2 scale, and it does not require high skills to exploit it.
This vulnerability with the number CVE-2020-10245 exists in the CODESYS web-server, which is used to display CODESYS system screens in a web browser.
Technical details of the vulnerability
In this flaw, a web server library named CmpWebServerHandlerV3.dll (file version does not properly validate data sent by the user to the web server URL. Therefore, an attacker can exploit this security weakness by requesting a very large amount to allocate to memory through a WEB_CLIENT_OPENCONNECTION message sent to the CmpWebServerHandlerV3 component.
In other words, this defect is because the MemGCGetSize function adds 0x5c bytes to the requested amount of memory during the memory allocation process. The MemGCGetSize function is called in the SysMemAllocData function, which is used by many CODESYS components to allocate memory from the stack.
On the other hand, the CmpWebServerHandlerV3 component (when in state 0) tries to allocate -1 (0xffffffff) bytes for the connection buffer. When the SysMemAllocData function is called, the memory allocation size overflows and a small buffer (0xffffffff + 0x5c = 0x5b) is allocated.
In the PoC published on GitHub, an exploit is used to kill the 32-bit process “CODESYSControlService.exe” on the web server.
Vulnerable versions and solutions:
In CODESYS version 3, the web server (CmpWebServer and CmpWebServerHandler) is an optional part of the CODESYS runtime system. However, all versions of CODESYS V3 runtime systems containing a web server prior to V3.5.15.40 are affected, regardless of CPU type or operating system. So users should update this product to the latest version (V3.5.15.40).
Monitoring the Internet space of the country


One of the ports that codeSyS uses for network communication is the TCP/2455 port. that by scanning this port in the country, a case that clearly has this service was not discovered.
Of course, it is obvious that according to the mentioned explanations, the vulnerability is on the web server.
If this service exists in internal networks, the probability of using it in the lateral movement stages in the chain of cyber attacks is high.

[1] heap-based buffer overflow

Narrated by: Center Maher



Leave a Reply

Your email address will not be published. Required fields are marked *