7-technologies igss 9.00.00.11059 - Multiple Vulnerabilities



EDB-ID: 17024 CVE: 2011-1565 OSVDB-ID: 72354
Author: Luigi Auriemma Published: 2011-03-22 Verified: Not Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
Sources:
http://aluigi.org/adv/igss_1-adv.txt
http://aluigi.org/adv/igss_2-adv.txt
http://aluigi.org/adv/igss_3-adv.txt
http://aluigi.org/adv/igss_4-adv.txt
http://aluigi.org/adv/igss_5-adv.txt
http://aluigi.org/adv/igss_6-adv.txt
http://aluigi.org/adv/igss_7-adv.txt
http://aluigi.org/adv/igss_8-adv.txt

Advisory Archive: http://www.exploit-db.com/sploits/igss_adv.tar.gz
PoC Archive: http://www.exploit-db.com/sploits/igss_poc.tar.gz

#######################################################################

                             Luigi Auriemma

Application:  IGSS (Interactive Graphical SCADA System)
              http://www.igss.com
              http://www.7t.dk
Versions:     IGSSdataServer.exe <= 9.00.00.11063
Platforms:    Windows
Date:         21 Mar 2011 (found 10 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################

===============
Introduction
===============

IGSS (Interactive Graphical SCADA system) is a SCADA solution developed
by the 7-Technologies and used mainly in Denmark and US.

Informations from the vendor's website:
"IGSS is the complete automation software – a SCADA system for process
control and supervision - with a long row of releases since the start
of 7T 25 years ago.
At that time, 7T was the first company in the world to develop an
object oriented and mouse operated SCADA system under the name of
IGSS."


#######################################################################

Directory Traversal:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0xd is used for the file operations that cover creation,
reading, writing, deleting, renaming and so on.

The server is affected by a directory traversal that gives the attacker
the possibility of downloading (command 0x3) or uploading and
overwriting (0x2) any file on the disk where the software is installed.

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_1.zip
http://www.exploit-db.com/sploits/igss_1.zip

example for downloading c:\boot.ini:
  nc SERVER 12401 < igss_1a.dat

example for writing/overwriting the file c:\evil.bat
  nc SERVER 12401 < igss_1b.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0xd is used for the file operations that cover creation,
reading, writing, deleting, renaming and so on.

All the commands supported by this opcode except "FileReserve" (0x7)
are affected by different buffer overflow vulnerabilities caused by the
copying of the filename provided by the client in stack buffers of 256
bytes.

The following is the list of the copying functions for each command
(I don't remember the exact version from which I got them):

  "ListAll" (0x1)       00406e91
  "Write File" (0x2)    004071dd
  "ReadFile" (0x3)      004072fd
  "Delete" (0x4)        00406fad
  "RenameFile" (0x5)    00407094 and 004070cf
  "FileInfo" (0x6)      0040746f

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_2.zip
http://www.exploit-db.com/sploits/igss_2.zip

  nc SERVER 12401 < igss_2a.dat
  nc SERVER 12401 < igss_2b.dat
  nc SERVER 12401 < igss_2c.dat
  nc SERVER 12401 < igss_2d.dat
  nc SERVER 12401 < igss_2e.dat
  nc SERVER 12401 < igss_2f.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x7 is used for handling the RMS report templates and
through the "Add" command (0x4) is possible to exploit some buffer
overflows caused by the copying of the client strings in small stack
buffers:

  00409B4F   .  8D46 04       LEA EAX,DWORD PTR DS:[ESI+4]  ; string from offset 0x16 of the packet
  00409B52   .  8D5424 1A     LEA EDX,DWORD PTR SS:[ESP+1A]
  00409B56   .  83C4 0C       ADD ESP,0C
  00409B59   .  2BD0          SUB EDX,EAX
  00409B5B   .  EB 03         JMP SHORT 00409B60
  00409B5D      8D49 00       LEA ECX,DWORD PTR DS:[ECX]
  00409B60   >  8A08          MOV CL,BYTE PTR DS:[EAX]
  00409B62   .  880C02        MOV BYTE PTR DS:[EDX+EAX],CL
  00409B65   .  40            INC EAX
  00409B66   .  84C9          TEST CL,CL
  00409B68   .^ 75 F6         JNZ SHORT 00409B60
  00409B6A   .  8A46 71       MOV AL,BYTE PTR DS:[ESI+71]
  00409B6D   .  884424 0D     MOV BYTE PTR SS:[ESP+D],AL
  00409B71   .  8D46 2C       LEA EAX,DWORD PTR DS:[ESI+2C] ; from offset 0x3e
  00409B74   .  8D5424 36     LEA EDX,DWORD PTR SS:[ESP+36]
  00409B78   .  2BD0          SUB EDX,EAX
  00409B7A   .  8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
  00409B80   >  8A08          MOV CL,BYTE PTR DS:[EAX]
  00409B82   .  880C02        MOV BYTE PTR DS:[EDX+EAX],CL
  00409B85   .  40            INC EAX
  00409B86   .  84C9          TEST CL,CL
  00409B88   .^ 75 F6         JNZ SHORT 00409B80
  00409B8A   .  8D46 6C       LEA EAX,DWORD PTR DS:[ESI+6C] ; from offset 0x7e
  00409B8D   .  8D5424 76     LEA EDX,DWORD PTR SS:[ESP+76]
  00409B91   .  2BD0          SUB EDX,EAX
  00409B93   >  8A08          MOV CL,BYTE PTR DS:[EAX]
  00409B95   .  880C02        MOV BYTE PTR DS:[EDX+EAX],CL
  00409B98   .  40            INC EAX
  00409B99   .  84C9          TEST CL,CL
  00409B9B   .^ 75 F6         JNZ SHORT 00409B93

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_3.zip
http://www.exploit-db.com/sploits/igss_3.zip

  nc SERVER 12401 < igss_3.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x7 is used for handling the RMS report templates and
through the "ReadFile" (0x6) and "Write File" (0x5) commands is
possible to exploit a buffer overflow caused by the building of a full
path string using a stack buffer of 256 bytes located on the caller
function:

  0040F840  /$  8B4424 04          MOV EAX,DWORD PTR SS:[ESP+4]
  0040F844  |.  50                 PUSH EAX
  0040F845  |.  83C1 04            ADD ECX,4
  0040F848  |.  51                 PUSH ECX
  0040F849  |.  8B4C24 10          MOV ECX,DWORD PTR SS:[ESP+10]
  0040F84D  |.  68 54A54300        PUSH 0043A554                ; "%s\%s.RMS"
  0040F852  |.  51                 PUSH ECX
  0040F853  |.  E8 120F0100        CALL 0042076A                ; sprintf
  0040F858  |.  83C4 10            ADD ESP,10
  0040F85B  \.  C2 0800            RETN 8

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_4.zip
http://www.exploit-db.com/sploits/igss_4.zip

Proof-of-concept via "ReadFile":
  nc SERVER 12401 < igss_4a.dat

Proof-of-concept via "Write File":
  nc SERVER 12401 < igss_4b.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x7 is used for handling the RMS report templates and
after the parsing of the "Rename" (0x2), "Delete" (0x3) and "Add" (0x4)
commands it's called the function 0040F910 that builds the string to
place in RMS.DIC and that is vulnerable to a buffer overflow on a
stack buffer of about 512 bytes:

  0040F9FE  |.  8D0432            |LEA EAX,DWORD PTR DS:[EDX+ESI]
  0040FA01  |.  8D48 6A           |LEA ECX,DWORD PTR DS:[EAX+6A]
  0040FA04  |.  51                |PUSH ECX
  0040FA05  |.  8D50 2A           |LEA EDX,DWORD PTR DS:[EAX+2A]
  0040FA08  |.  52                |PUSH EDX
  0040FA09  |.  0FB650 01         |MOVZX EDX,BYTE PTR DS:[EAX+1]
  0040FA0D  |.  8D48 02           |LEA ECX,DWORD PTR DS:[EAX+2]
  0040FA10  |.  51                |PUSH ECX
  0040FA11  |.  52                |PUSH EDX
  0040FA12  |.  8D8424 24020000   |LEA EAX,DWORD PTR SS:[ESP+224]
  0040FA19  |.  68 E0A54300       |PUSH 0043A5E0                  ; "%d,%s,%s,%s"
  0040FA1E  |.  50                |PUSH EAX
  0040FA1F  |.  E8 460D0100       |CALL 0042076A                  ; sprintf

#######################################################################

===========
The Code
===========

The following proof-of-concept exploits the vulnerability from the
"Rename" command, mainly because it's the only command not affected by
other vulnerabilities before the reaching of this bugged function:

http://aluigi.org/poc/igss_5.zip
http://www.exploit-db.com/sploits/igss_5.zip

  nc SERVER 12401 < igss_5a.dat   (will add the "old_name" template)
  nc SERVER 12401 < igss_5b.dat

#######################################################################

Remote Format String:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The logging function Shmemmgr.logText that places messages in GSST.LOG
has a printf-like prototype but the function 0040cec0 that handles all
the internal logs doesn't provide the necessary format argument when
calls it:

  0040CF5B  |>  8D4424 04     LEA EAX,DWORD PTR SS:[ESP+4]
  0040CF5F  |.  50            PUSH EAX
  0040CF60  |.  57            PUSH EDI
  0040CF61  |.  6A 0D         PUSH 0D
  0040CF63  |.  6A 01         PUSH 1
  0040CF65  |.  FF15 6C834300 CALL DWORD PTR DS:[<&Shmemmgr9.logText>]  ; Shmemmgr.logText
  ...
  005A55E6   .  8B4D EC       MOV ECX,DWORD PTR SS:[EBP-14]
  005A55E9   .  51            PUSH ECX
  005A55EA   .  8B55 14       MOV EDX,DWORD PTR SS:[EBP+14]
  005A55ED   .  52            PUSH EDX
  005A55EE   .  68 00280000   PUSH 2800
  005A55F3   .  8D85 E8D7FFFF LEA EAX,DWORD PTR SS:[EBP-2818]
  005A55F9   .  50            PUSH EAX
  005A55FA   .  FF15 20026200 CALL DWORD PTR DS:[<&MSVCR90.vsprintf_s>] ; MSVCR90.vsprintf_s

Note that is not clear if this vulnerability is exploitable for code
execution.

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_6.zip
http://www.exploit-db.com/sploits/igss_6.zip

  nc SERVER 12401 < igss_6.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x8 is used for handling the STDREP requests and through the
command 0x4 is possible to exploit a buffer overflow caused by the
building of a SQL query using a stack buffer of 256 bytes:

  0040A4B5   .  8B46 04       MOV EAX,DWORD PTR DS:[ESI+4]
  0040A4B8   .  8B48 16       MOV ECX,DWORD PTR DS:[EAX+16]
  0040A4BB   .  51            PUSH ECX
  0040A4BC   .  83C0 1A       ADD EAX,1A
  0040A4BF   .  50            PUSH EAX
  0040A4C0   .  68 7C984300   PUSH 0043987C     ; "UPDATE ReportFormats SET RMSref={%s} WHERE (FormatID=%d)"
  0040A4C5   .  8BD7          MOV EDX,EDI
  0040A4C7   .  52            PUSH EDX
  0040A4C8   .  E8 9D620100   CALL 0042076A     ; sprintf

Note that is not clear if this vulnerability is exploitable for code
execution.

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_7.zip
http://www.exploit-db.com/sploits/igss_7.zip

  nc SERVER 12401 < igss_7.dat

#######################################################################

Arbitrary Command Execution:

======
Bug
======

dc.exe is a server running on port 12397 active when the project is
started.

The opcodes 0xa and 0x17 are used for launching the executables located
in the folder of the software but through directory traversal is
possible to execute any arbitrary executable on the disk where is
located the software and specifying any argument for its execution.

#######################################################################

===========
The Code
===========


http://aluigi.org/poc/igss_8.zip
http://www.exploit-db.com/sploits/igss_8.zip

Two examples for executing calc.exe ("calc.exe arg1 arg2 arg3"):
  nc SERVER 12397 < igss_8a.dat
  nc SERVER 12397 < igss_8b.dat

#######################################################################

======
4) Fix
======

No fix.

#######################################################################