Claroty’s Team82 finds two vulnerabilities in XINJE PLC Program Tool, deployed across critical infrastructure sector

Researchers from Claroty’s Team82 arm uncovered two vulnerabilities in the PLC Program Tool from Chinese automation company XINJE. The tool is an engineering workstation and is typically deployed across energy, manufacturing, and engineering installations. The flaws can be triggered by a crafted project file, which an attacker can use to exploit and write arbitrary project files to a PLC (programmable logic controller) and gain code execution. Team82 tested only v3.5, though it believes other versions may be vulnerable too.  

“Team82 is disclosing limited information today about these vulnerabilities, details of which were privately disclosed at the end of August 2021 after a year of attempting to connect with representatives of the company,” Mashav Sapir, a Claroty researcher wrote in a company blog post. 

“The vendor was not receptive to our attempts to share technical information and collaborate on a fix and response,” according to Sapir. “Finally, on Sept. 8, 2021, XINJE representatives asked that Team82 stop communication. Team82 extended the terms of its coordinated disclosure policy beyond 90 days to nine months before disclosing limited details today to help asset owners prioritize any mitigations,” he added.

Although awareness of cybersecurity has been steadily increasing in recent years in the operational technology (OT) world, many engineering workstation programs are still vulnerable to easily exploitable vulnerabilities, Claroty highlighted. “Not all vendors are aware of the fact that project files can be weaponized by attackers as a method to take control of critical OT resources; this is true for most OT personnel as well,” the post said. 

Additionally, many vendors still do not have well-defined interfaces for coordinated disclosure of vulnerabilities. “As a result, disclosure can take an unnecessarily long time, often passing through sales and/or technical support teams without security knowledge, before reaching the teams responsible for the development of the affected products. This was a challenging disclosure with XINJE, which thankfully is not the norm within the majority of OT vendors,” Claroty added.

The XINJE PLC Program Tool is used across OT environments to communicate with XINJE-produced PLCs. These devices, according to XINJE, are sold not only in China, but also in Europe, North America, Southeast Asia, and elsewhere in several markets, including across the energy, manufacturing, and engineering sectors. 

“From a security perspective, gaining access to a machine containing the engineering workstation program can allow an attacker to fully meddle with PLCs and other highly sensitive OT equipment with adverse consequences,” Sapir said. “Therefore, exploiting vulnerabilities in these applications can be used by attackers as a final step toward taking full control of an OT network,” he added.

Claroty was responding to a request to research proprietary protocols to maximize customers’ ability to observe the traffic in their network. “At times we have to support older equipment still used in critical roles in production sites, and at other times we even stumble onto equipment manufactured by smaller OT vendors. The request we received from a customer to analyze protocols used by equipment manufactured by XINJE fell into the latter category,” the post said.

“Our first step was to create a lab setup; this usually requires purchasing equipment and connecting it to the relevant engineering workstation program,” according to Sapir. “In some cases, even purchasing the equipment can be difficult because the vendor might no longer offer the exact models we need.” 

Over time, the researchers discovered “that a surprisingly wide range of OT equipment can be purchased through eBay,” the post said. In many cases, once a factory changes its OT equipment, the older, used equipment winds up on eBay and can be purchased easily and shipped to your doorstep. Equipment offered by XINJE was no exception, and a variety of XINJE products can be purchased through eBay, it added.

Once the PLC is purchased, the next step was to install it in the company’s lab, along with a multitude of other OT equipment, and connect it to the engineering workstation program used to configure it.

“Once we’ve constructed a suitable setup and finished researching the different protocols used by the equipment, we’re often asked by our customers to look for security issues with the setup,” according to Sapir. “Pointing out these issues can help users improve their security posture immediately. Responsibly reporting these vulnerabilities to the vendor, can help fix them and improve security across the entire OT space,” he added.

In XINJE’s case, “we decided to focus on the engineering workstation program called XINJE PLC Program Tool,” Sapir said. In some cases, project file vulnerabilities are of particular interest. Usually, searching for project file vulnerabilities begins with investigating the structure of the project file used by the engineering workstation program. In the case of the XINJE PLC Program Tool, the relevant files are ‘*.xdp’ files. These project files can be easily identified as zip files, and they can be extracted by almost any archive utility, he added. 

Sapir also said that when the program opens a project file, it immediately extracts it to a temporary directory located within its installation directory. “This behavior indicates that the program assumes it’s being executed with administrator privileges. This, in combination with the extracted file being a zip file, immediately makes one wonder whether a zip slip vulnerability (an arbitrary file-overwrite vulnerability) can be leveraged to obtain arbitrary write privileges,” he added.

“Soon enough we did find a zip slip vulnerability (CVE-2021-34605), which can provide an attacker with arbitrary write privileges with the permissions of the program; in most cases, these will be administrator privileges,” Sapir said. “The next question is how to reach code execution from an arbitrary file write. Since it makes the most sense for the code to be executed right after the project file is loaded, we can check what the program is doing while opening the project file,” he added.

To create a fully-working exploit, Claroty chained the two vulnerabilities. “Once a specially crafted malicious project file is opened by XINJE PLC Program Tool, the zip slip vulnerability will be triggered and a .dll file will be written to the program’s directory in Program Files,” the post said. “Later in the process of loading a new project, this DLL will be loaded instead of the real DLL (located in Windows\System32). Once the DLL is loaded, malicious code is executed during its DLLMain procedure or in one of the functions imported by the program. An attacker now may gain a foothold on an OT network,” it added.

Team82 and Rockwell Automation provided details last month about two vulnerabilities in Rockwell PLCs and engineering workstation software, deployed globally across multiple critical infrastructure sectors. The modified code could be downloaded to a PLC, while the engineer at the workstation would likely see the process running as expected, reminiscent of Stuxnet and the Rogue7 attacks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.