Blog

Weintek EasyBuilder Pro cMT Series Project Decompiling Contains ZipSlip Vulnerability (CVE-2023-0104)

Feb 14, 2023

Weintek EasyBuilder Pro cMT Series Project Decompiling Contains ZipSlip Vulnerability (CVE-2023-0104)

In this blog post, we will delve into the underlying causes of the vulnerabilities discovered in Weintek’s applications by our researchers from TXOne PSIRT and Threat Research Team. We will also provide a mitigation strategy to address the issue. For further information, please refer to the CISA Advisory publication: https://www.cisa.gov/uscert/ics/advisories/icsa-23-045-01

 

Weintek Ecosystem Overview

To gain a comprehensive understanding of the potential impact of the vulnerability, we conducted an analysis of the ecosystem surrounding Weintek’s product. The results of this analysis are presented below.

Winter Ecosystem Overview

Figure 1. Weintek Ecosystem Overview

 

Vulnerability Root Cause Analysis

The exploitation scenario discussed in this blog is based on EasyBuilder Pro V6.07.02.273 Build 2022.07.26. In this version, we discovered the ZipSlip vulnerability that enables an attacker to drop malicious files to an arbitrary location by using a forged project file.

Overview of EasyBuilder Pro
Figure 2. Overview of EasyBuilder Pro

 

1. Project Decompiling

The project file extension used in EasyBuilder Pro is “.cxob” which is actually “.tar.gz”. During the decompiling process, once the project file is loaded into EasyBuilder Pro, it will decompress the “.cxob” file and convert it to the “.cmtp” format. Then, EasyBuilder Pro will open the decompressed project file in the “.cmtp” format.
Decompiling the Project File

Figure 3. Decompiling the Project File

Opening the Decompiled Project File

Figure 4. Opening the Decompiled Project File

 

HMI GUI in the Project File

Figure 5. HMI GUI in the Project File

 

2. ZipSlip Vulnerability in bsdtar.exe

In EasyBuilder Pro, the bsdtar.exe is utilized to decompile the project file. However, it is imperative to note that outdated versions of this file are highly insecure.

The bsdtar.exe Version 2.4.12.3100 is Vulnerable
Figure 6. The bsdtar.exe Version 2.4.12.3100 is Vulnerable

 

The outdated version of bsdtar.exe is affected by the ZipSlip vulnerability, which allows it to parse absolute or relative paths during the decompression process. As a result, an attacker can drop a malicious file to any desired location, rather than being restricted to the current directory.

 

The Attacker can Assign the Absolute Path in the Project file
Figure 7. The Attacker can Assign the Absolute Path in the Project file

 

In most cases, the source of the project file may be from the Network, USB, or HMI (as depicted in Figure 8). If you are not fully confident in the trustworthiness of the source, it is highly recommended that you exercise caution and avoid decompiling project files using unpatched EasyBuilder Pro or any SCADA software.

The Project File Might be Sent From a Network, USB, or HMI

Figure 8. The Project File Might be Sent From a Network, USB, or HMI

Exploitation

In an effort to raise awareness of the dangers posed by untrusted project files, we demonstrated the exploitation PoC of this vulnerability. Our prime motive is to write a file to an arbitrary path with fully controllable data. The challenge is to convert this vulnerability into a remote code execution (RCE) exploit.

The target that immediately comes to mind is QT, given that EasyBuilder Pro is heavily reliant on QT. During the decompression and rendering of the project file (.cxob), a multitude of QT components will be dynamically loaded based on the HMI GUI design specified in the project file.

EasyBuilder Pro Import QML Files During Rendering of the Project

Figure 9. EasyBuilder Pro Import QML Files During Rendering of the Project

 

EasyBuilder Pro import QT Plugin DLL While Rendering the Project

Figure 10. EasyBuilder Pro import QT Plugin DLL While Rendering the Project

Our objective is to obtain a reverse shell without disrupting the daily operations of the EWS. This requires ensuring that all systems and processes continue to function normally.

 

1. QT Plugin DLL Hijacking

QT has been designed to load external modules as plugins. Based on the information presented in ZDI’s blog, we understand that hijacking a QT plugin can be accomplished through the following two steps:

1) The QT plugin must contain the segment “.qmetad” in the proper format.
2) The QT plugin must correctly provide an exported function known as “qt_plugin_instance” in most cases.

 

The Malicious windowplugin.dll
Figure 11. The Malicious windowplugin.dll

 

After conducting some experimentation, we were able to successfully create a malicious DLL and incorporate it into the project file. When EasyBuilder Pro loads this malicious project file, the attacker (in this case, us) will obtain initial access to the system.

1. The popup message box means that DllMain in the malicious DLL was loaded by EasyBuilder Pro.

The Hijacked DLL is Summoned Successfully

Figure 12. The Hijacked DLL is Summoned Successfully

 

2. And then, the malicious DLL will create a new thread for the reverse shell.

The Reverse Shell in the Hijacked DLL is TriggeredFigure 13. The Reverse Shell in the Hijacked DLL is Triggered

 

3. By comparing the ethernet adapter setting and username, we can see that the reverse shell is spawned from the victim’s machine.

Verifying the Reverse Shell is From the Same Machine

Figure 14. Verifying the Reverse Shell is From the Same Machine

2. QML Injection

Furthermore, we identified another possible method of attack in the form of QML injection.

The most interesting aspect of QML is that it gives developers the ability to write and execute JavaScript code, or to include resources (as demonstrated in Figures 15 and 16) from a network. The “image” tag, for instance, allows for an image source to be loaded from a network.

While we have only prepared a simple proof of concept for this attack vector, full remote code execution remains a viable possibility. It is important to be cognizant of the potential danger posed by this handy attack vector.

 

The Malicious QML can Import Images through HTTP

Figure 15. The Malicious QML can Import Images through HTTP

 

HTTP Request From the Victim’s Machine

Figure 16. HTTP Request From the Victim’s Machine

Prevent Exploitation with TXOne Goalkeeper

1. Use StellarProtect’s Application Lockdown to prevent the malicious process from spawning from the compromised process by DLL side-loading.

Illustrates the Successful Blocking of the Malicious Process by StellarProtect's Application Lockdown, as Reflected in the System Event Log

Figure 17. Illustrates the Successful Blocking of the Malicious Process by StellarProtect’s Application Lockdown, as Reflected in the System Event Log

 

In console, it shows that StellarProtect’s Application Lockdown Blocks the Malicious Process Successfully

Figure 18. In console, it shows that StellarProtect’s Application Lockdown Blocks the Malicious Process Successfully

 

2. Use StellarProtect’s OT Safeguard to prevent the overwriting of files in the ICS software installation folder.

In the System Event Log, StellarProtect’s OT Safeguard Block Successfully Prevented the Overwriting of the File

Figure 19. In the System Event Log, StellarProtect’s OT Safeguard Block Successfully Prevented the Overwriting of the File

 

In console, StellarProtect’s OT Safeguard Block Successfully Prevented the Overwriting of the File

Figure 20. In console, StellarProtect’s OT Safeguard Block Successfully Prevented the Overwriting of the File

 

Timelines

Timelines

 

 

 

References

[1] ZDI, LOADING UP A PAIR OF QT BUGS: DETAILING CVE-2019-1636 AND CVE-2019-6739, ZDI, Accessed Feb 6 2023

[2] Weincloud, OPC UA Server, Weintek, Accessed Feb 6 2023

TXOne image

Need assistance?

TXOne’s global teams are here to help!

or
Find support