Share
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2019-024  
Product: FANUC Robotics Virtual Robot Controller  
Manufacturer: FANUC Robotics America, Inc.  
Affected Version(s): V8.23  
Tested Version(s): V8.23  
Vulnerability Type: Stack-based Buffer Overflow (CWE-121)   
Risk Level: High  
Solution Status: Open  
Manufacturer Notification: 2019-05-22  
Solution Date: ?  
Public Disclosure: 2019-07-15  
CVE Reference: CVE-2019-13585  
Author of Advisory: Sebastian Hamann, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
FANUC Robotics Virtual Robot Controller is an application for  
programming simulated industry robots.  
  
Due to a stack-based buffer overflow, the remote admin web server  
(vrimserve.exe) is vulnerable to denial-of-service and remote code  
execution attacks.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
vrimserve.exe offers an HTTP service on TCP port 8090, which can be used  
to control virtual robots and view their log files.  
  
A buffer overflow vulnerability was discovered in the log viewer  
functionality. By sending a specially crafted HTTP request to the HTTP  
server, the application can be crashed causing a denial-of-service  
condition.  
  
Remote code execution may also be possible, but was not confirmed  
by SySS GmbH. Gaining control over the instruction pointer (EIP) of this  
32 bit application by exploiting the stack-based buffer overflow  
vulnerability was successful.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
SySS GmbH developed a proof-of-concept exploit that crashes  
vrimserve.exe. It is to note that the exploit gives control over the EIP  
register, which is an important prerequisite for remote code execution.  
  
curl "http://${target_host}:8090/namedrobots/folder/dir/<1268 bytes>BBBBCCCCCCCCC"  
  
The bytes denoted as B overwrite the EIP register.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The vendor has not yet released a security update.  
  
It is recommended not making the remote admin web server (vrimserve.exe)  
available to untrusted networks.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2019-04-23: Vulnerability discovered  
2019-05-22: Vulnerability reported to manufacturer  
2019-07-15: Public release of SySS security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Manufacturer website:  
https://www.fanucamerica.com/  
[2] SySS Security Advisory SYSS-2019-024  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-024.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Sebastian Hamann of SySS GmbH.  
  
E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAl0snAwACgkQnODkQEKd  
i5ZIqw//bdjzLHzqTtVHEnqFDORa1xmD9478c/57WBKW+kVH/NMupv5CwjsFEJvq  
hhY/Ju1Yl+m0kz3R+orHKgUw6VTdfAiogOS/OIW+8yozUQ1lPRDhKcKe/Ai2X2kj  
/A/y8mgR43AX2ddcf6tr5XeOeJHgzK3Up8y0fbkvRPQ7aszzWRYCQr4CmXtSsaAf  
qxg5fzBwzVEHhDni/tBe6bCqBmV9r+4yi0L2BGV+Cxo08gbsLkAiIhUHJnLG1GbM  
mKYFk7v+8JecXEIu12ZiH8Zofn9p2ePeQw/u64VsuUJ+dCJMlyLeAOgXpQiIIt8z  
dNj5MS6w37b+4Dc/C7mlfDb9GPGGMyhyK5+TX8KT5LG1MVOyYocnbrD23xSRNSAi  
8HhLszTyXcXwkKhsRWelvrEcxaiIsm5y0/4X2gJ/PeTkZNlOPgyD3xv7bth3jUYK  
Bcb7NSgp+5FZcaG/moT1W5zL7WFj9wnFd2w4glIPVDUtgy5FQM0cdnGNr1KNvqZB  
Esn3Tylbmzt7uQKuT/pZOFk1QQ8VoSnPmyWB6tyBFhTCZxfR+V+MKTIPrCFjrvpQ  
D/XDcAT5gqZQHPVK3FI6T8TqF2wS5xoHfNJcPdh6r52puREImY509sze6VWUfzpp  
3hfYCusmlwJye9+cbllFCiLNegSNCDBS+nDrRCCXd3QaoOYjls4=  
=hm7Q  
-----END PGP SIGNATURE-----