RVD icon indicating copy to clipboard operation
RVD copied to clipboard
verified publisher icon aliasrobotics

RVD#1495: Universal Robots URCaps execute with unbounded privileges

Open rvd-bot opened this issue 5 years ago • 2 comments 

id: 1495
title: 'RVD#1495: Universal Robots URCaps execute with unbounded privileges'
type: vulnerability
description: Universal Robots controller execute URCaps (zip files containing Java-powered
  applications) without any permission restrictions and a wide API that presents many
  primitives that can compromise the overall robot operations as demonstrated in our
  video. In our PoC we demonstrate how a malicious actor could 'cook' a custom URCap
  that when deployed by the user (intendedly or unintendedly) compromises the system
cwe: CWE-250 (Execution with Unnecessary Privileges)
cve: CVE-2020-10290
keywords:
- Universal Robots
system: URx
vendor: Universal Robots
severity:
  rvss-score: 10.0
  rvss-vector: RVSS:1.0/AV:PR/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:H/A:H/H:H
  severity-description: critical
  cvss-score: 6.8
  cvss-vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
links:
- https://www.universal-robots.com/plus/
- https://github.com/aliasrobotics/RVD/issues/1495
flaw:
  phase: testing
  specificity: general issue
  architectural-location: platform code
  application: industrial robot manipulator
  subsystem: manipulation:actuation
  package: libc6 2.19-11 i386
  languages: C
  date-detected: null
  detected-by: "Victor Mayoral Vilches and Unai Ayucar Carbajo (Alias Robotics)"
  detected-by-method: testing
  date-reported: '2020-04-03'
  reported-by: "Victor Mayoral Vilches, Unai Ayucar Carbajo"
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/1495
  reproducibility: always
  trace: N/A
  reproduction: Not available
  reproduction-image: Not available
exploitation:
  description: Generate a crafted URCap that takes all the computational resources
    of the robot.
  exploitation-image: Not available
  exploitation-vector: Not available
  exploitation-recipe: ''
mitigation:
  description: Sandbox and isolate URCaps to only the required components, interfaces,
    libraries and network connections
  pull-request: Not available
  date-mitigation: null

rvd-bot avatar Apr 03 '20 15:04 rvd-bot

URCaps are run in a socket with all permissions to the system. This crafted URCap generates dynamic allocation elements (10000000) per each CPU cicle. It blocks completely any functionality of the UR.

UnaiAlias avatar Apr 03 '20 15:04 UnaiAlias 

##################
# alurity.yml example file
##################

networks:
  - network:
    - driver: overlay
    - name: urnetwork
    - encryption: false
    - subnet: 192.8.8.0/24
containers:
  - container:
    - name: urrobot
    - modules:
      - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1
      - network: urnetwork
    - cpus: 4
    - memory: 4096
    - mount: /home/unai/Desktop/freezeUR/com.IamHackingYou.URFancy/target/URFancy-1.0-SNAPSHOT.jar:/root/.urcaps/URFancy-1.0-SNAPSHOT.jar

flow:
  - container:
    - name: urrobot
    - window:
        - name: unsecure
        - commands:
          - command: "htop"
          - split: horizontal
          - command: "source run_gui.sh"
          - command: "$RUN_GUI"

UnaiAlias avatar Apr 03 '20 16:04 UnaiAlias