IOServer is a piece of industrial control software that runs on Windows. It contains a built-in web server to support the "XML Server" feature. This web server can be abused to download any file on the file system without authentication, if the "Root Directory" setting does not contain a trailing backslash. Note that a sample configuration provided with the product exhibits a vulnerable configuration.
If the "XML Server" feature is turned on (apparently by configuring a valid "Root Directory" on the "XML Server" tab), the integrated web server listens on the configured port (81 by default). If the "Root Directory" configuration value does not contain a trailing backslash, then these issues exist.
A directory traversal vulnerability exists such that the web server can be tricked to serve up any file on the server, outside of the configured "Root Directory". On Windows, one common thing to do with an issue like this is to download the backup copy of the SAM, in order to retrieve password hashes and mount an offline attack on them. Any other potentially sensitive file on the server can be accessed this way as well, if the attacker knows the path to it.
Note that directory traversal is only needed if you want to break out of the "Root Directory". The web server will serve up files inside the "Root Directory" just by asking it for them. This may or may not be considered a vulnerability, depending on the expectations of the administrator.
Also, the web server allows directory listings in some cases, whether inside or outside the "Root Directory". Again, this may or may not be considered a vulnerability depending on expectations.
Note also that the "XML Server Settings" tab contains fields for a "Read Password" and "Write Password", which are apparently intended to only restrict access to the devices via the XML web interface (they are not intended to restrict access to other content served by the web server). By default, they are set to blank. But due to their intended use of resticting device access, they do nothing to stop access to the file system as described here even if they are set to some value.
3. Proof of Concept / Steps to Reproduce
Install the software and use the sample Modbus Web Server configuration
from http://www.ioserver.com/mbtcp.io to get it working. This sample
configuration uses the "Root Directory" value of "C:\Program Files
\IOServer\Docs" (note the lack of a trailing backslash). This directory
does not exist unless you install the documentation package (isodoc.exe,
available from the vendor web site). You can get to a vulnerable
configuration if you leave the "Root Directory" alone and install the
documentation package, or just modify the "Root "Directory" value to
something valid (but lacking a trailing backslash) like "C:\Program
Files\IOServer". Note that the software or server may need to be
restarted, then you will see a web server listening on the configured
port (81 by default).
Note that more recent versions of the software default to "C:\IOServer"
rather than "C:\Program Files\IOServer". This does not affect the issues
discussed here.
To request files within the "Root Directory", just ask for them with a
browser or command-line tool like wget:
wget http://target-server:81/modbus.dll
To get a directory listing, just ask:
wget http://target-server:81/
To request files outside of the "Root Directory", use a standard
directory traversal trick with a client or browser that supports it.
Note that IE probably will not allow this type of malfeasance:
To get a directory listing outside of the "Root Directory", ask for it
with the directory traversal trick:
wget http://target-server:81/.../.../.../windows/
Note that it is only this directory traversal issue that was fixed in
version 1.0.19.0. Accessing files and directory listings inside the
"Root Directory" is apparently intended operation.
Unexpected arbitrary access to the file system can lead to the
disclosure of sensitive information. Worst case, disclosure of the
system's password hashes can lead to compromise of the passwords, and
therefore, of the server.
5. CVSS Scoring
-= ==== =======
Using http://nvd.nist.gov/cvss.cfm?calculator&version=2
Ensure that the "Root Directory" value has a trailing backslash. This
eliminates most of the issues, although you can still get a directory
listing of the "Root Directory" itself (but not subdirs) even with this
in place.
Of course, limit access to the web server port to only trusted
hosts/networks. Even a fixed version should probably not be exposed to
the Internet or other untrusted networks.
The directory traversal issue was fixed in version 1.0.19.0
(http://www.ioserver.com/driver19.exe), released on 2012-06-20. However,
arbitrary file access and directory listings inside the "Root Directory"
and its subdirs are still possible in this version, unless the trailing
backslash is in place. Note that even with the trailing backslash,
directory listing of the "Root Directory" itself is still possible.
It is recommended that all three of the above actions (use the trailing
backslash, limit access to trusted networks/hosts only, and upgrade to
1.0.19.0 or later) be taken in order to secure this web server as much
as possible.
Disclosure Timeline:
2012-04-23: First vendor contact
2012-04-23: Vendor sends proposed fix (that was fast!)
2012-04-27: Proposed fix found incomplete, feedback to vendor
2012-05-04: Vendor sends second proposed fix
2012-05-17: Verified that second proposed fix resolves all known
directory traversal issues
2012-05-17: Vendor informs that directory listing and arbitrary file
access issues inside the Root Directory are intended functionality
2012-05-18: This issue put on the back burner due to urgent project; I
then completely forget about it (oops, my bad)
2012-06-20: Vendor releases fixed version (1.0.19.0, aka "driver19.exe")
2012-08-08: I remember about this; recheck all information and retest
current version 1.0.19.0; edits to advisory; contact vendor about public
release date
2012-08-17: Public release