SRC-2018-0007 : Beckoff TwinCAT3 Multiple Kernel Drivers Untrusted Pointer Dereference Privilege Escalation Vulnerabilities
This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Beckoff TwinCAT3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists when processing the 0x00222206 IOCTL in the following kernel drivers:
The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker could leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
Beckoff has issued an update to correct these vulnerabilities. More details can be found at:
- 2017-09-27 – Verified and sent to Beckoff and ICS-CERT
- 2018-03-13 – Coordinated public release of advisory
Proof of Concept:
This vulnerability was discovered by Steven Seeley (mr_me) of Source Incite