B&R Automation Studio and PVI Windows Services

1. ADVISORY INFORMATION

Product: B&R Automation Net/PVI
Vendor URL: https://www.br-automation.com/en-us/products/software/automation-netpvi/
Vulnerability #1: CVE-2020-24681 Automation Studio incorrect permission assignments for services. CVSS v3 Base Score: 8.2 (High)
Vulnerability #2: CVE-2020-24681 Net/PVI incorrect permission assignments for services. CVSS v3 Base Score: 8.2 (High)
Vulnerability #3: CVE-2020-24682 Automation Studio unquoted service path vulnerabilities. CVSS v3 Base Score: 7.2 (High)
Vulnerability #4: CVE-2020-24682 PVI Multiple unquoted service path vulnerabilities CVSS v3 Base Score: 7.2 (High)
Date found: 2020-09-28

2. AUTHOR

This vulnerability was discovered and researched by Andrew Hofmans
Public key: pubkey

3. VERSIONS AFFECTED

Vulnerabilities were found and tested on the most recently released version available at the time (PVI_4.8.2.27 07/27/2020).

4. INTRODUCTION

Our slogan is our mission. The pursuit of Perfection in Automation has inspired and guided B&R for over 40 years. To us, perfection means more than developing the best solutions in industrial automation. It also means developing the best relationships – with our customers and partners as well as our employees and suppliers.
(from the vendor's homepage)

5. VULNERABILITY DETAILS

  1. A completely default PVI Automation NET installation installs a service named "BrDiskImageSvcx". The service is ran as "NT AUTHORITY\SYSTEM" and it is set to start Manually. The permissions for the service are set to "NT AUTHORITY\Authenticated Users". It is possible for any user, to include a non-administrative user account, to change the service bin path to an arbitrary executable and then start the service granting code execution as "NT AUTHORITY\SYSTEM". This is a local privilege escalation attack vector. (SC CONFIG BrDiskImageSvcx binPath= "C:\Users\NonAdmin\Downloads\foo.exe") (SC start BrDiskImageSvcx)

  2. During PVI Automation NET installation, if the "Install PVI Manager as a service" component is selected, a service named "PviManSvcx" is created. The service is ran as "NT AUTHORITY\SYSTEM" and it is set to start Manually. The permissions for the service are set to "NT AUTHORITY\Authenticated Users". It is possible for any user, to include a non-administrative user account, to change the service bin path to an arbitrary executable and then start the service granting code execution as "NT AUTHORITY\SYSTEM". This is a local privilege escalation attack vector. (SC CONFIG PviManSvcx binPath= "C:\Users\NonAdmin\Downloads\foo.exe") (SC start PviManSvcx)

  3. When the BrDiskImageSvcx service is created during the PVI installation, the "Path to executable" is not quoted. If the default installation directory, C:\BRAutomation, is used it isn't exploitable, but if the installation path is changed to any folder with a space (e.g. "Program Files", "Program Files (x86)") this leads to an unquoted service path vulnerability. A user with the necessary permissions to write to the root folder where the folder that has the space is located can get code execution as "NT AUTHORITY\SYSTEM" when the service is started. (C:\Program.exe) (SC start BrDiskImageSvcx)

  4. If the "Install PVI Manager as a service" component is selected, the PviManSvcx service is created during the PVI installation with the "Path to executable" not quoted. If the default installation directory, C:\BRAutomation, is used it isn't exploitable, but if the installation path is changed to any folder with a space (e.g. "Program Files", "Program Files (x86)") this leads to an unquoted service path vulnerability. A user with the necessary permissions to write to the root folder where the folder that has the space is located can get code execution as "NT AUTHORITY\SYSTEM" when the service is started. (C:\Program.exe) (SC start PviManSvcx)

6. RISK

  1. To successfully exploit this vulnerability an attacker must have access to the PC with the PVI Automation NET software installed. Any user in the "NT AUTHORITY\Authenticated Users", to include non-administrative users, can modify the service.

  2. To successfully exploit this vulnerability an attacker must have access to the PC with the PVI Automation NET software installed and the "Install PVI Manager as a service" component was selected during program installation. Any user in the "NT AUTHORITY\Authenticated Users", to include non-administrative users, can modify the service.

  3. To successfully exploit this vulnerability an attacker must have access to the PC with the PVI Automation NET software installed in a non-default installation directory, the installation directory has a space in the name, and the attacker has the necessary privileges to write to the same parent directory as the installation folder.

  4. To successfully exploit this vulnerability an attacker must have access to the PC with the PVI Automation NET software installed in a non-default installation directory, the installation directory has a space in the name, the "Install PVI Manager as a service" component was selected during program installation, and the attacker has the necessary privileges to write to the same parent directory as the installation folder.

All the above vulnerabilities result in total device compromise with code execution as "NT AUTHORITY\SYSTEM".

7. Timeline

2020-09-28: Reported to B&R.

...A lot of back and forth, delays, and missed deadlines...

2021-11-30: B&R publishes security advisory. Also available here.