CVE-2024-1014 and CVE-2024-1015 Vulnerabilities affecting E-DDC Devices from se-elektronic (PoC)

While researching ICS devices, I found two vulnerabilities in the E-DDC Device from SE-elektronic regarding the Automation Station E-DDC from the company SE-elektronic. Affected versions are from the E-DDC3.3 onwards.

This Industrial Control System (ICS) is a DDC that is a very similar system to a Programmable Logic Controller (PLC), but with certain differences: it is essentially a more basic PLC, but in this case the DDC displays a web server with multiple options, whereas previously one had to be authenticated with a username and password.

More information about the device can be found at the following link:

https://www.se-elektronic.de/downloads/products/G_02_90_75_E-DDC3-3_Produktblatt_EN.pdf

This device, as I mentioned before, displays a web server in any configurable port. It can be identified easily because it usually goes together with the open modbus port 502, and thus the banner is displayed with the name of the device and the version.

Once we have connected to the web portal of the device, it is possible to observe the banner that has multiple options, and then we choose to go to the administration panel (webconfiguration):

Take a look to the version in the above image: Model E-DDC 3.3 Microprogramme version V03.07.13

Note: If someone clicks the login (connection) button, then the session is automatically initialized by default as the guest user. However, everything explained below was done without having to be an authenticated user.

CVE-2024-1015

Through the usage of Burp, we discovered that we can execute multiple web requests through the CGI protocol that aren't properly handled by the device. Please refer to the list below where you can see all examples of this exploitation:

Root System Directory List:

GET /CGI-BIN/SYSTEM.CGI?get=LS&path=/

Get Configurations:

GET /CGI-BIN/CONFIG.CGI?cmd=GetConfig&Module=bacnet

Instead, if one changes the value of the "module" variable from "bacnet" to another value, e.g. "modbus", then it is possible to see different configuration (and passwords) files:

GET /CGI-BIN/CONFIG.CGI?cmd=GetConfig&Module=modbus

The Ping Command

GET /CGI-BIN/SYSTEM.CGI?get=ping&ip=8.8.8.8&anzahl=4

If one modifies the parameter of “anzahl” to a high number like 50, such as in the last image, then the device will ping this number of times.

Download the file of logs from the device:

GET /CGI-BIN/DOWNLOAD.CGI?/VAR/LOG/SYSLOG.TXT&1402

In the above image, it is possible to observe the IP of an internal device, as well as download other files. However, most of these are empty, and this is a more interesting file (Syslog.txt).

CVE-2024-1014

Returning to the point of using a ping command, if one changes the value that is assigned to the "anzahl" parameter to a high number, then one can execute a Denial-of-Service attack on this device. It will be demonstrated below how this is accomplished:

In this case, we modify the "anzahl" parameter to the number 50, and one can see how the application seems not to work.

GET /CGI-BIN/SYSTEM.CGI?get=ping&ip=127.0.0.1&anzahl=50

To test this, I created a small script command with "curl" that allows one to check the time that an application takes to respond:

Code:

curl -s -w '\nTiempo de respuesta para: %{url_effective}\n\nLookup time:\t\t%{time_namelookup}\nConnect Time:\t\t%{time_connect}\nPre-transfer Time:\t%{time_pretransfer}\nStart-transfer Time:\%{time_starttransfer}\nTotal Time:\t\t%{time_total}\n' -o /dev/null <IP>

For a normal request, the time is 0.089 seconds:

If the variable is "anzahl=50", the following occurs:

However, if we increase this number to 100, then one can see the following:

In the previous image, it is possible to notice that the time it takes to respond is 197,914 seconds. If we change the value that is assigned to the "anzahl" parameter to a very high number like 1000 or more, it is possible to leave the device engaged, and during this time, the device will not be possible to manage.

Refs.

INCIBE: