search

aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
179 stars 31 forks source link

RVD#1495: Universal Robots URCaps execute with unbounded privileges #1495

Open rvd-bot opened 4 years ago

rvd-bot commented 4 years ago 
id: 1495
title: 'RVD#1495: Universal Robots URCaps execute with unbounded privileges'
type: vulnerability
description: Universal Robots controller execute URCaps (zip files containing Java-powered
  applications) without any permission restrictions and a wide API that presents many
  primitives that can compromise the overall robot operations as demonstrated in our
  video. In our PoC we demonstrate how a malicious actor could 'cook' a custom URCap
  that when deployed by the user (intendedly or unintendedly) compromises the system
cwe: CWE-250 (Execution with Unnecessary Privileges)
cve: CVE-2020-10290
keywords:
- Universal Robots
system: URx
vendor: Universal Robots
severity:
  rvss-score: 10.0
  rvss-vector: RVSS:1.0/AV:PR/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:H/A:H/H:H
  severity-description: critical
  cvss-score: 6.8
  cvss-vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
links:
- https://www.universal-robots.com/plus/
- https://github.com/aliasrobotics/RVD/issues/1495
flaw:
  phase: testing
  specificity: general issue
  architectural-location: platform code
  application: industrial robot manipulator
  subsystem: manipulation:actuation
  package: libc6 2.19-11 i386
  languages: C
  date-detected: null
  detected-by: "Victor Mayoral Vilches and Unai Ayucar Carbajo (Alias Robotics)"
  detected-by-method: testing
  date-reported: '2020-04-03'
  reported-by: "Victor Mayoral Vilches, Unai Ayucar Carbajo"
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/1495
  reproducibility: always
  trace: N/A
  reproduction: Not available
  reproduction-image: Not available
exploitation:
  description: Generate a crafted URCap that takes all the computational resources
    of the robot.
  exploitation-image: Not available
  exploitation-vector: Not available
  exploitation-recipe: ''
mitigation:
  description: Sandbox and isolate URCaps to only the required components, interfaces,
    libraries and network connections
  pull-request: Not available
  date-mitigation: null
UnaiAlias commented 4 years ago

URCaps are run in a socket with all permissions to the system. This crafted URCap generates dynamic allocation elements (10000000) per each CPU cicle. It blocks completely any functionality of the UR.

UnaiAlias commented 4 years ago 
##################
# alurity.yml example file
##################

networks:
  - network:
    - driver: overlay
    - name: urnetwork
    - encryption: false
    - subnet: 192.8.8.0/24
containers:
  - container:
    - name: urrobot
    - modules:
      - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1
      - network: urnetwork
    - cpus: 4
    - memory: 4096
    - mount: /home/unai/Desktop/freezeUR/com.IamHackingYou.URFancy/target/URFancy-1.0-SNAPSHOT.jar:/root/.urcaps/URFancy-1.0-SNAPSHOT.jar

flow:
  - container:
    - name: urrobot
    - window:
        - name: unsecure
        - commands:
          - command: "htop"
          - split: horizontal
          - command: "source run_gui.sh"
          - command: "$RUN_GUI"