Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RVD#1495: Universal Robots URCaps execute with unbounded privileges #1495

Open
rvd-bot opened this issue Apr 3, 2020 · 2 comments
Open

RVD#1495: Universal Robots URCaps execute with unbounded privileges #1495

rvd-bot opened this issue Apr 3, 2020 · 2 comments

Comments

@rvd-bot
Copy link
Contributor

rvd-bot commented Apr 3, 2020

id: 1495
title: 'RVD#1495: Universal Robots URCaps execute with unbounded privileges'
type: vulnerability
description: Universal Robots controller execute URCaps (zip files containing Java-powered
  applications) without any permission restrictions and a wide API that presents many
  primitives that can compromise the overall robot operations as demonstrated in our
  video. In our PoC we demonstrate how a malicious actor could 'cook' a custom URCap
  that when deployed by the user (intendedly or unintendedly) compromises the system
cwe: CWE-250 (Execution with Unnecessary Privileges)
cve: CVE-2020-10290
keywords:
- Universal Robots
system: URx
vendor: Universal Robots
severity:
  rvss-score: 10.0
  rvss-vector: RVSS:1.0/AV:PR/AC:L/PR:N/UI:N/Y:Z/S:U/C:H/I:H/A:H/H:H
  severity-description: critical
  cvss-score: 6.8
  cvss-vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
links:
- https://www.universal-robots.com/plus/
- https://github.com/aliasrobotics/RVD/issues/1495
flaw:
  phase: testing
  specificity: general issue
  architectural-location: platform code
  application: industrial robot manipulator
  subsystem: manipulation:actuation
  package: libc6 2.19-11 i386
  languages: C
  date-detected: null
  detected-by: "Victor Mayoral Vilches and Unai Ayucar Carbajo (Alias Robotics)"
  detected-by-method: testing
  date-reported: '2020-04-03'
  reported-by: "Victor Mayoral Vilches, Unai Ayucar Carbajo"
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/1495
  reproducibility: always
  trace: N/A
  reproduction: Not available
  reproduction-image: Not available
exploitation:
  description: Generate a crafted URCap that takes all the computational resources
    of the robot.
  exploitation-image: Not available
  exploitation-vector: Not available
  exploitation-recipe: ''
mitigation:
  description: Sandbox and isolate URCaps to only the required components, interfaces,
    libraries and network connections
  pull-request: Not available
  date-mitigation: null
@rvd-bot rvd-bot changed the title Universal Robots URCaps execute with unbounded privileges RVD#1495: Universal Robots URCaps execute with unbounded privileges Apr 3, 2020
@unaithetutamatumatu
Copy link
Contributor

URCaps are run in a socket with all permissions to the system. This crafted URCap generates dynamic allocation elements (10000000) per each CPU cicle. It blocks completely any functionality of the UR.

@unaithetutamatumatu
Copy link
Contributor

unaithetutamatumatu commented Apr 3, 2020

##################
# alurity.yml example file
##################

networks:
  - network:
    - driver: overlay
    - name: urnetwork
    - encryption: false
    - subnet: 192.8.8.0/24
containers:
  - container:
    - name: urrobot
    - modules:
      - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_ur_cb3_1:3.12.1
      - network: urnetwork
    - cpus: 4
    - memory: 4096
    - mount: /home/unai/Desktop/freezeUR/com.IamHackingYou.URFancy/target/URFancy-1.0-SNAPSHOT.jar:/root/.urcaps/URFancy-1.0-SNAPSHOT.jar

flow:
  - container:
    - name: urrobot
    - window:
        - name: unsecure
        - commands:
          - command: "htop"
          - split: horizontal
          - command: "source run_gui.sh"
          - command: "$RUN_GUI"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants