RVD icon indicating copy to clipboard operation
RVD copied to clipboard

Published 20 hours ago verified publisher icon aliasrobotics

RVD#1406: Felix shell console access without credentials on port 6666 (default)

Open LanderU opened this issue 5 years ago • 4 comments 

{
    "id": 1406,
    "title": "RVD#1406: Felix shell console access without credentials on port 6666 (default)",
    "type": "vulnerability",
    "description": "We found that the Universal Robots Controllers has Felix Shell console application enabled on port 6666 (default). By netcat connection anyone can perform any of the several actions Felix Shell console allows to users (such as shutdown). Exemplary commands can be found at https://portal.liferay.dev/docs/7-0/reference/-/knowledge_base/r/using-the-felix-gogo-shell",
    "cwe": "CWE-306 (Missing Authentication for Critical Function)",
    "cve": null,
    "keywords": [
        "Universal Robots",
        "manipulation",
        "cobot",
        "CB 3.1",
        "CB 3.4.5"
    ],
    "system": "Universal Robots Robot Controllers CB 3.10, 3.11, 3.12, 3.12.1",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 9.5,
        "rvss-vector": "RVSS:1.0/AV:AN/AC:L/PR:N/UI:N/Y:Z/S:U/C:L/I:H/A:H/H:E",
        "severity-description": "critical",
        "cvss-score": 8.3,
        "cvss-vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H/"
    },
    "links": [
        "https://portal.liferay.dev/docs/7-0/reference/-/knowledge_base/r/using-the-felix-gogo-shell",
        "https://felix.apache.org/documentation/subprojects/apache-felix-remote-shell.html",
        "https://felix.apache.org/documentation/subprojects/apache-felix-gogo.html",
        "https://github.com/aliasrobotics/RVD/issues/1407"
    ],
    "flaw": {
        "phase": "tested",
        "specificity": "subject-specific",
        "architectural-location": "application-specific code",
        "application": "manipulator, control box",
        "subsystem": "cognition:manipulation",
        "package": "Felix Gogo Apache",
        "languages": "shell",
        "date-detected": "2020-01-28",
        "detected-by": "Unai Ayucar Carbajo, Endika Gil Uriarte, Alfonso Glera Picon, V\u00edctor Mayoral Vilches, Xabies Saez de C\u00e1mara, Lander Usategi San Juan (Alias Robotics)",
        "detected-by-method": "testing violation",
        "date-reported": "2020-03-30",
        "reported-by": "Unai Ayucar Carbajo, Endika Gil Uriarte, Alfonso Glera Picon, V\u00edctor Mayoral Vilches, Xabies Saez de C\u00e1mara, Lander Usategui San Juan (Alias Robotics)",
        "reported-by-relationship": "security researcher",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1407",
        "reproducibility": "always",
        "trace": "N/A",
        "reproduction": "https://gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/robosploit/-/blob/master/robosploit/modules/exploits/universalrobots/felixshell/felixshell.py",
        "reproduction-image": "Not available"
    },
    "exploitation": {
        "description": "Commands can be executed without authentication using Apache Felix console",
        "exploitation-image": "Available under demand",
        "exploitation-vector": "Not available"
    },
    "mitigation": {
        "description": "Osgi secularization and shell control disabling",
        "pull-request": "N/A",
        "date-mitigation": null
    }
}

LanderU avatar Mar 30 '20 16:03 LanderU

alurity.yml used to reproduce this:

networks:
  - network:
    - driver: overlay
    - name: urnetwork
    - encryption: false

containers:
  - container:
    - name: ur_31
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1
         - network: urnetwork
   - container:
     - name: ur_311
     - modules:
          - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.11
          - network: urnetwork
   - container:
     - name: ur_312
     - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12
          - network: urnetwork
  - container:
    - name: ur_3121
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1
         - network: urnetwork
  - container:
    - name: attacker
    - modules:
         - base: registry.gitlab.com/aliasrobotics/offensive/alurity/alurity:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/expl_robosploit:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom:latest
         - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
         - network: urnetwork

LanderU avatar Mar 30 '20 16:03 LanderU

Exploitation demonstrated at https://www.youtube.com/watch?v=tS2NpgHpz_0&feature=youtu.be

vmayoral avatar Mar 30 '20 19:03 vmayoral

ping @LanderU, can we get a CWE here? Also, we should get a CVE ID for this one.

vmayoral avatar Apr 01 '20 13:04 vmayoral

Added CWE.

LanderU avatar Apr 01 '20 14:04 LanderU