Team82 White Paper

Exploiting URL Parsing Confusion

In Team82's joint research with Snyk, we examined 16 URL parsing libraries, written in a variety of programming languages, and noticed some inconsistencies with how each chooses to parse a given URL to its basic components. We categorized the types of inconsistencies into five categories, and searched for problematic code flows in web applications and open source libraries that exposed a number of vulnerabilities.

CVE-2023-5390

CWE-36: Absolute Path Traversal

Successful exploitation of this vulnerability could allow an attacker to read from the Experion controllers or SMSC S300. This exploit could be used to read files from the controller that may expose limited information from the device.

CVSS v3: 5.3
CVE-2023-5389

CWE-749: Exposed Dangerous Method or Function

Successful exploitation of this vulnerability could allow an attacker to modify files on Experion controllers or SMSC S300. This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered.

CVSS v3: 9.1
CVE-2024-3746

CWE-284 IMPROPER ACCESS CONTROL:

The entire parent directory - C:\ScadaPro and its sub-directories and files are configured by default to allow users, including unprivileged users, to write or overwrite files.

Measuresoft recommends that users manually reconfigure the vulnerable directories so that they are not writable by everyone.

CVSS v3: 5.5
CVE-2024-25138

CWE-256: Plaintext Storage of a Password

In Automation-Direct C-MORE EA9 HMI credentials used by the platform are stored as plain text on the device.

AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78

Affected versions:
- C-MORE EA9 HMI EA9-T6CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T7CL: Version 6.77 and prior
- C-MORE EA9 HMI EA0-T7CL-R: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T8CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T10CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T10WCL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T12CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T15CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T15CL-R: Version 6.77 and prior
- C-MORE EA9 HMI EA9-RHMI: Version 6.77 and prior
- C-MORE EA9 HMI EA9-PGMSW: Version 6.77 and prior
CVSS v3: 6.5
CVE-2024-25137

CWE-121: Stack-based Buffer Overflow

In Automation-Direct C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which leads to a stack overflow. The result of this stack-based buffer overflow will lead to a denial-of-service conditions.

AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78

Affected versions:
- C-MORE EA9 HMI EA9-T6CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T7CL: Version 6.77 and prior
- C-MORE EA9 HMI EA0-T7CL-R: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T8CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T10CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T10WCL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T12CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T15CL: Version 6.77 and prior
- C-MORE EA9 HMI EA9-T15CL-R: Version 6.77 and prior
- C-MORE EA9 HMI EA9-RHMI: Version 6.77 and prior
- C-MORE EA9 HMI EA9-PGMSW: Version 6.77 and prior
CVSS v3: 4.3

Exploiting URL Parsing Confusion

Recent Vulnerability Disclosures

CVE-2023-5390

CVE-2023-5389

CVE-2024-3746

CVE-2024-25138

CVE-2024-25137