A critical heap-based buffer overflow flaw in a web server for the CODESYS automation software for engineering control systems could be exploited by a remote, unauthenticated attacker to crash a server or execute arbitrary code.
CODESYS is a software platform, developed by the German company Smart Software Solutions, used in the automation industry for programming controller applications.
The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a
The flaw tracked as CVE-2020-10245 is easy to exploit, it received a severity rate of 10 out of 10 on the CVSS v.2. A heap overflow condition is a type of buffer overflow, where a heap portion of memory could be overwritten with the content exceeding a buffer. Usually,
“Specific crafted requests may cause a heap-based buffer overflow. Further on this could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution.” reads the advisory published by CODESYS.
“Specific crafted requests may cause a heap-based buffer overflow. Further on this could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution. As the
The issue resides in the CmpWebServerHandlerV3.dll (file version 188.8.131.52) library that doesn’t properly validate user-supplied data sent to the web server URL endpoint.
“A heap overflow vulnerability exists in CmpWebServerHandlerV3.dll (file version 184.108.40.206) due to improper validation of user-supplied data sent to the CODESYS V3 web server URL endpoint /WebVisuV3.” reads the analysis published by Tenable.
“The flaw is due to the fact that the MemGCGetSize function adds 0x5c bytes to the requested allocation size during memory allocation operation”
An attacker could exploit the flaw by requesting a very large memory allocation size via a WEB_CLIENT_OPENCONNECTION message sent to the CmpWebServerHandlerV3 component.
“The CmpWebServerHandlerV3 component (when in state 0) attempts to allocate -1 (0xffffffff) bytes for the communication buffer. When the SysMemAllocData function is called, the memory allocation size gets overflowed and a small (0xffffffff + 0x5c = 0x5b) heap buffer is actually allocated.”
The experts also published a PoC exploit code that can be used to terminate a 32-bit CODESYSControlService.exe.
The flaw affects all versions of CODESYS V3 runtime systems containing the web server prior V220.127.116.11, a fix is included in version V18.104.22.168.