DLL Hijacking Vulnerability in Automation Studio

1. ADVISORY INFORMATION

Product: B&R Automation Net/PVI
Vendor URL: https://www.br-automation.com/en-us/products/software/automation-netpvi/
Vulnerability #1: CVE-2021-22280 DLL Hijacking Vulnerability in Automation Studio. CVSS v3 Base Score: 7.2 (High)
Vulnerability #2: Improper Input Validation CWE-20
Date found: 2020-10-09

2. AUTHOR

This vulnerability was discovered and researched by Andrew Hofmans
Public key: pubkey

3. VERSIONS AFFECTED

Vulnerabilities were found and tested on the most recently released version available at the time (PVI_4.8.2.27 07/27/2020).

4. VULNERABILITY DETAILS

  1. When the PVI Manager process is started, it attempts to load DLL resources that are not installed in the local directory. When the DLLs are not found, the process starts searching the directories in the System Path. By placing a malicious DLL in one of the directories found in the System Path, it is possible to get code execution as the user and integrity level as the owner of PVIMan.exe.

    • PVI Manager is automatically started when the PVI Monitor application is run. If the "PviManSvcx" is installed the service will start. This causes the malicious DLLs to be loaded as "NT AUTHORITY\SYSTEM".

    • If "PviManSvcx" is not installed, the process will be owned and executed by the user that started it.

      • Exploit: Create a malicious DLL (msfvenom -a x64 -f dll -p windows/x64/exec CMD="C:\windows\system32\notepad.exe" -o BrAdi.dll)
        Place DLL in a directory in the System PATH.
        Start the "PviManSvcx" service or run the PVI Manager application.
        DLL loaded and code is executed.

      • Vulnerable DLLs (there may be more) BrAdi.dll
        PviLcMod.dll
        BrLcMod.dll
        IB10E64.dll
        IB97U64.dll
        IBUSB64.dll
        DLL Load

  2. PVI Manager loaded DLLs that were completely unsigned, much less not signed by B&R's digital signature.

5. RISK

  1. To successfully exploit this vulnerability an attacker must have local access to the PC with the PVI Automation NET software installed. The attacker must have the necessary privileges to write to a directory in the System PATH. This allows arbitrary DLLs to be loaded resulting in unexpected code execution. If the process is started by starting the service "PviManSvcx", it is run by the SYSTEM account resulting in total device compromise.

  2. No signatures are checked prior to the DLLs being loaded. This allows arbitrary and untrusted code to be loaded into a process owned by SYSTEM.

6. Timeline

2020-10-11: Reported to B&R.

...A lot of back and forth, delays, and missed deadlines...

2021-10-29: B&R publishes security advisory. Also available here.