Multiple Advantech WebAccess Vulnerabilities

While performing research for CVE-2017-16720 and CVE-2018-18999, Tenable found multiple vulnerabilities in Advantech WebAccess/SCADA version 8.3.4.

CVE-2019-3940: Unauthenticated File Upload RCE

Advantech WebAccess/SCADA version 8.3.3 introduced changes in the DsDaqWebService function in drawsrv.dll. It seems these changes are intended to fix CVE-2017-16720 by whitelisting certain executables in some WebAccess specific directories that are allowed to be passed to the Windows CreateProcessA() API call.

However, webvrpcs.exe accepts unauthenticated RPC calls to perform remote file operations including fopen, fseek, ftell, fread, fwrite and fclose. An unauthenticated remote attacker can issue RPC calls to upload a malicious executable file and save it as one of the whitelisted executables. For example, when WebAccess/SCADA is installed with default settings, C:\WebAccess\Node\net.exe is in the whitelist but there is no net.exe in C:\WebAccess\Node. The attacker can upload PsExec.exe (from Sysinternals) to the target host and save it as C:\WebAccess\Node\net.exe. The attacker then issues an IOCTL 10001 RPC call to launch PsExec.exe with attacker-specified arguments to be passed to PsExec.exe.

CVE-2019-3941: Unauthenticated Arbitrary Remote File Deletion

webvrpcs.exe accepts unauthenticated RPC calls to perform file unlink operation:

.text:10002BB7 ioctl_10005:                            ; CODE XREF: DsDaqWebService+FEj
.text:10002BB7                                         ; DATA XREF: .text:off_100041ECo
.text:10002BB7      mov     ecx, [ebp+arg_pInbuf]      ; jumptable 1000284E case 5
.text:10002BBA      push    ecx                        ; Filename
.text:10002BBB      call    ds:_unlink

An unauthenticated remote attacker can issue IOCTL 10005 RPC calls to delete arbitrary files on the remote target host.

CVE-2019-3942: Unauthenticated Arbitrary File Download

webvrpcs.exe accepts unauthenticated RPC calls to perform remote file operations including fopen, fseek, ftell, fread, fwrite, and fclose. An unauthenticated remote attacker can issue RPC calls to download arbitrary files from the remote target host.

The attacker can use downloaded files to launch further attacks. For example, the attacker can download the project database bwcfg.mdb and decode the password for the admin user. The attacker can then have access to the product web UI. Specifically, the attacker can open bwcfg.mdb with Microsoft Access, extract the Password and Password2 fields for the admin user in the pUserPassword table. The admin password can be decoded with the attached python script advantech_webaccess_passwd_decode.py:

# python advantech_webaccess_passwd_decode.py 9D038DD7F9DB5A5B B0F2D054BFD6AB54
Password:          9D038DD7F9DB5A5B
Password2:         B0F2D054BFD6AB54
Decoded password:
00000000:  73 65 63 72 65 74                                 secret