LabVIEW

cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

LabView vulnerability allows hackers to hack your computer

Anyone else come across this? https://thehackernews.com/2017/08/hacking-labview-vi-file.html?m=1

They talk in the post about Labview 2016 but I presume it is still vulnerable in Labview 2017 (which I'm using)?

0 Kudos
Message 1 of 14
(2,245 Views)

Hi Original,

 

while this vulnerability is bad for LabVIEW as we depends on the VI loading routine inside LabVIEW you (as developer) should always be careful when opening VIs from "outside":

- they might be set to "run when opened"

- they might include code to delete your C: drive (after they "run when opened")

- they might include other hidden bad stuff

- due to problems in the VI it might corrupt the running LabVIEW IDE forcing you to kill it and so sending any unsaved work to NIL:

 

While you can avoid this "run when opened" feature (by dragging the "unknown" VI as a subVI into another VI) I can't see the result of the linked security warning. What happens with this ""?

Best regards,
GerdW
CLAD expired, using 2009SP1 + LV2011SP1 + LV2017 (+LV2018 sometimes) on Win7+cRIO
Kudos are welcome Smiley Wink

Message 2 of 14
(2,218 Views)

I am sure this is not the only vulnerability. 

 

See https://lavag.org/topic/19527-smash-call/

 

That being said, has anyone ever heard of an exploit in the wild? I am not going to worry too much about this.

 

I wonder if NI scans any of the files that are uploaded here.

 

Cheers,

mcduff

0 Kudos
Message 3 of 14
(2,162 Views)

I don't put any faith in articles that use a word such as "equipments".

0 Kudos
Message 4 of 14
(2,154 Views)

I'd be more worried about everyone using OPC without any security. It's fairly easy to "hijack" this communication, and your plant would be doing stuff without anybody noticing. Pretty sure that's fairy easy with shared variables as well. Redirecting TCP\IP communication isn't that hard.

 

AFAIK, this hack could be done with any program. What they are saying is: if you run something malicious, it could do harm. Yes, even if it's a VI... If you open (and run) a Java, Python, C++ or C# file, you have the same "vulnerability".

On the other hand, it seems that this hack would execute when the VI is loaded. This means a virus could be made that spreads itself though all VI RSRC sections. So inspecting the VI and deciding not to run it won't work. The damage is already done. The code in the RSRC might not be doing anything else then replicate itself. Until a certain condition is met, and then it could activate some evil. Pretty much like stuxnet.

But it would be a lot easier to make a virus with scripting. When run, it infects other VI's... Using weird flags you can make this script invisible. Although you need to run the VI, it probably has the same effect, and it's a lot easier.

In both cases it will be probably be noticed. VI's will become slower, larger, and SCC will show unexplainable changes.

 

Message 5 of 14
(2,060 Views)

I don't see how this vulnerability could allow arbitrary code to be executed. What I do see from the description is that someone could create a VI that when loaded in LabVIEW, crashes your LabVIEW program. Wow, that is big news!

Anyhow it seems that NI has already responded to this here and is in the process of creating a patch for it. And give them a few weeks to test, package and retest that patch.

Rolf Kalbermatter
Averna BV
LabVIEW ArchitectLabVIEW ChampionLabVIEW Instructor
Message 6 of 14
(2,030 Views)

Rolf,

That right, it only crashes LV (fills LV memory with 0's)...

0 Kudos
Message 7 of 14
(2,025 Views)

I mentioned this in another thread, but if you are worried about VIs that run on open, you can install my LabVIEW Tray Launcher, which takes over the .vi file extension, and shows you what version of LabVIEW the VI can be opened in and what ones are running.  In addition to that it has the ability to ask if a VI should be ran when opened, or just opened and not ran.


Unofficial Forum Rules and Guidelines - Hooovahh - LabVIEW Overlord
Interesting in learning all you can about automotive CAN bus communication? Checkout my 12 part CAN Blog series.

Message 8 of 14
(1,991 Views)

I saw an article on Reddit that goes into detail on what this vulnerability involved and how it works.  The article is pretty negative since it was written before NI said they works do something about it.

 

https://0patch.blogspot.com/2017/09/0patching-rsrc-arbitrary-null-write.html?m=1


Unofficial Forum Rules and Guidelines - Hooovahh - LabVIEW Overlord
Interesting in learning all you can about automotive CAN bus communication? Checkout my 12 part CAN Blog series.

0 Kudos
Message 9 of 14
(1,968 Views)

It's basically a blog for their own product (which you can download for free) and their service to support manufacturers with micro patches. It does however have a potential flaw. I don't see anywhere in the source code for their micropatch an exact version number nor what the file should contain before it gets patched. So considering that NI releases several patches per LabVIEW version which can certainly also replace this particular DLL (it's the manager core DLL that contains all the code for the low level managers in LabVIEW), there is a chance that they micropatch an already patched version that doesn't have the code at the same address and therefore potentially creates a non working DLL.

NI does usually update the version number of DLLs but only the bug fix level and that seems nowhere checked, nor a test that the DLL contains at the specific location the byte sequence that needs patching. And it obviously only patches the 32 bit version of LabVIEW.

 

And since it seems to actually modify executable code files, I doubt that it works in a tightly secured corporate environment at all. Most virus scanners will likely consider it a thread as it would need to use some highly suspicious mechanismes to do its work.

Rolf Kalbermatter
Averna BV
LabVIEW ArchitectLabVIEW ChampionLabVIEW Instructor
0 Kudos
Message 10 of 14
(1,958 Views)