Critical buffer overflow in CODESYS allows remote code execution

Experts discovered an easily exploitable heap-based buffer overflow flaw, tracked as CVE-2020-10245, that exists in the CODESYS web server.

A critical heap-based buffer overflow flaw in a web server for the CODESYS automation software for engineering control systems could be exploited by a remote, unauthenticated attacker to crash a server or execute arbitrary code.

CODESYS is a software platform, developed by the German company Smart Software Solutions, used in the automation industry for programming controller applications.

The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a common web browser.

The flaw tracked as CVE-2020-10245 is easy to exploit, it received a severity rate of 10 out of 10 on the CVSS v.2. A heap overflow condition is a type of buffer overflow, where a heap portion of memory could be overwritten with the content exceeding a buffer. Usually, the buffer was allocated using a routine such as malloc().

“Specific crafted requests may cause a heap-based buffer overflow. Further on this could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution.” reads the advisory published by CODESYS.

“Specific crafted requests may cause a heap-based buffer overflow. Further on this could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution. As the webserver is part of the CODESYS runtime system, this may result in unforeseen behavior of the complete runtime system. ”

The issue resides in the CmpWebServerHandlerV3.dll (file version 3.5.15.20) library that doesn’t properly validate user-supplied data sent to the web server URL endpoint.

“A heap overflow vulnerability exists in CmpWebServerHandlerV3.dll (file version 3.5.15.20) due to improper validation of user-supplied data sent to the CODESYS V3 web server URL endpoint /WebVisuV3.” reads the analysis published by Tenable.

“The flaw is due to the fact that the MemGCGetSize function adds 0x5c bytes to the requested allocation size during memory allocation operation”

An attacker could exploit the flaw by requesting a very large memory allocation size via a WEB_CLIENT_OPENCONNECTION message sent to the CmpWebServerHandlerV3 component.

“An unauthenticated, remote attacker can request a very large memory allocation size (i.e., 0xffffffff) via a WEB_CLIENT_OPENCONNECTION message sent to the CmpWebServerHandlerV3 component: |foo|-1|true|” continues the analysis.

“The CmpWebServerHandlerV3 component (when in state 0) attempts to allocate -1 (0xffffffff) bytes for the communication buffer. When the SysMemAllocData function is called, the memory allocation size gets overflowed and a small (0xffffffff + 0x5c = 0x5b) heap buffer is actually allocated.”

The experts also published a PoC exploit code that can be used to terminate a 32-bit CODESYSControlService.exe.

The flaw affects all versions of CODESYS V3 runtime systems containing the web server prior V3.5.15.40, a fix is included in version V3.5.15.40.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CODESYS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]