Share
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2019-025  
Product: FANUC Robotics Virtual Robot Controller  
Manufacturer: FANUC Robotics America, Inc.  
Affected Version(s): V8.23  
Tested Version(s): V8.23  
Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)  
Risk Level: Low  
Solution Status: Open  
Manufacturer Notification: 2019-05-22  
Solution Date: ?  
Public Disclosure: 2019-07-15  
CVE Reference: CVE-2019-13584  
Author of Advisory: Sebastian Hamann, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
FANUC Robotics Virtual Robot Controller is an application for  
programming simulated industry robots.  
  
Due to an insufficient validation of user input, the HTTP service of  
the application is vulnerable to path traversal attacks.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
vrimserve.exe offers an HTTP service on TCP port 8090, which can be used  
to control virtual robots and view their log files.  
  
A path traversal vulnerability was discovered in the log viewer  
functionality.  
  
By sending a specially crafted HTTP request to the web server, files and  
directories that match the pattern "*.*" can be listed anywhere on the  
filesystem. Furthermore, the contents of files named "logfile.txt" can  
be read.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The string "..%5C" can be used to access the parent directory.  
  
Therefore, by accessing a URL similar to the following, it is possible  
to obtain a list of files (and directories with a . in their name) in  
the root directory of the C:\ partition (or another partition, depending  
on the software installation).  
  
http://${target_host}:8090/namedrobots/folder/dir/..%5C..%5C..%5C..%5C..%5C..%5C..%5C../  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The vendor has not yet released a security update.  
  
It is recommended not making the remote admin web server (vrimserve.exe)  
available to untrusted networks.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2019-04-23: Vulnerability discovered  
2019-05-22: Vulnerability reported to manufacturer  
2019-07-15: Public release of SySS security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Manufacturer website:  
https://www.fanucamerica.com/  
[2] SySS Security Advisory SYSS-2019-025  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-025.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Sebastian Hamann of SySS GmbH.  
  
E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAl0snBMACgkQnODkQEKd  
i5bTGw/+P/fk4GBXrn8w3WmnyE+ZGwS8PtCFjRSqYQXo1k49l80TBKDYPEtkjZyS  
l6jHSjKkkG5Lq6gPaHIh+2pbz7SZt1KUMgKbVJvpv2wGIsPHaRIilsTZS9mp/Izr  
VE6x//BJcDx2UhDJNSQfUwZsCt7FipJLZjOlp9omMU4UPCg3bIlNIVNQCiRQPi98  
QZZSDkdzbxvGUfUbEeqIwHUDf7uPjwFV8gCzMW+avrnbt29iyofMmmnTTJmJiDkG  
weCOR1CZ25pWV1DSYCvTebnWPxCl51t2N2TFqr5Xs/I56j+VjL5q15tRn/pSDa8H  
U4zrBB32pjJDvkIFmoZHSCBFB6VOlfRMSgL6JPgnefd04nLLhzDg4Wkkjp4pz4Jx  
gEhpI7GFH1rt+rRnqKdV++kKG0IgRAE/GzUCLza1S4AwXwd1m+kNXyz1NKkcbdz7  
hyeI5uGigryee/8/frpqeUzbSA/GSylAzvtl+25ZPqyYbWmr4QNF/lMIPRIkZS+6  
7fKG7jWLyLzL7MS9c0flZuawBOO9CKtPwQwpvX9aWkmzyUWhY/3D38oZU0L+oBAo  
p16UFGQPLoYTBU9YOQA6kg1gxOU6+XLO2xpJtgyUIG6KbgZiLdT8nWD9z9HSMeD9  
9fWrKqAZzqK1UjVFDspbnqlJFtVOB0Zt+myu5/3sBmgqjo3LucQ=  
=X9vR  
-----END PGP SIGNATURE-----