ThinManager Thinserver.exe /api/documentation Endpoint Path Traversal Remote File Disclosure
Vendor / Product information
“Our ThinManager® thin client management software allows control and security in a sustainable and scalable platform regardless of the size of your industrial environment or number of facilities. The thin client architecture gives users the applications and tools familiar to them in a format that reduces management and maintenance costs while it increases security.”
Vulnerable program details
Details for tested products and versions:
Vendor: Rockwell Automation
Version: 13.0 SP2
NOTE: Other versions than the one listed above are likely affected. The security advisory released by Rockwell reports versions 13.0.0 through 13.0.2 as vulnerable as well as ThinServer version 13.1.0.
Sven Krewitt, Flashpoint
Rockwell Automation ThinManager contains a flaw that allows traversing outside of a restricted path and allows a remote attacker to read files on the local file system with SYSTEM-level privileges.
Exploitation of this issue requires that API endpoints are enabled in the HTTPS server API settings, which are disabled by default.
The issue can be triggered when handling requests to the /api/documentation endpoint. By submitting a path containing a path traversal sequence (e.g. ‘../’), a remote attacker can read arbitrary files from the server’s file system with privileges of the server (NT AUTHORITY\SYSTEM).
Proof of concept
Enable API endpoints in the HTTPS Server Settings.
Use curl to send a specially crafted request to the endpoint
$ curl --path-as-is -k https://[serverIP]:8443/api/documentation/../../../../../../../windows/system.ini
The vulnerability is fixed in ThinManager version 13.0.3 and ThinServer version 13.1.1.
2023-04-04 Vulnerability discovered.
2023-04-14 Vulnerability reported to Rockwell Automation PSIRT
2023-04-25 Vendor response.
2023-07-18 Vulnerability published to VulnDB customers.
2023-07-19 Publication of this vulnerability report.