DATAC RealWin - Multiple Vulnerabilities

EDB-ID:

17025


Platform:

Windows

Published:

2011-03-22

Sources:
http://aluigi.org/adv/realwin_2-adv.txt
http://aluigi.org/adv/realwin_3-adv.txt
http://aluigi.org/adv/realwin_4-adv.txt
http://aluigi.org/adv/realwin_5-adv.txt
http://aluigi.org/adv/realwin_6-adv.txt
http://aluigi.org/adv/realwin_7-adv.txt
http://aluigi.org/adv/realwin_8-adv.txt

Advisory Archive: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17025-adv.tar.gz (datac_realwin_adv.tar.gz)
PoC Archive: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17025-poc.tar.tz (datac_realwin_poc.tar.gz)

#######################################################################

                             Luigi Auriemma

Application:  DATAC RealWin
              http://www.dataconline.com/software/realwin.php
              http://www.realflex.com
Versions:     <= 2.1 (Build 6.1.10.10)
Platforms:    Windows
Date:         21 Mar 2011 (found 25 Nov 2010)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org

===============
Introduction
===============

"RealWin is a SCADA server package for medium / small applications."

#######################################################################

Remote Stack Overflow:

======
Bug
======

The part of the server listening on port 910 is vulnerable to a buffer
overflow happening in the function 004be510 that splits the input
strings using some delimiters passed by the callee functions and copies
them in a stack buffer of 1024 bytes.

One of the ways to exploit the vulnerability in that function is
through an On_FC_CONNECT_FCS_LOGIN packet containing a long username.


#######################################################################

===========
The Code
===========

http://aluigi.org/poc/realwin_2.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17025-2.zip (realwin_2.zip)

  nc SERVER 910 < realwin_2.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======


The part of the server listening on port 910 is vulnerable to some
buffer overflows happening during the handling of the
On_FC_CTAGLIST_FCS_CADDTAG, On_FC_CTAGLIST_FCS_CDELTAG and
On_FC_CTAGLIST_FCS_ADDTAGMS packets where the input strings are copied
in a stack buffer of 1024 bytes.

The bugs are located in different functions but I have grouped them in
this same advisory because the format and the performed operations are
similar.

List of the vulnerable functions:
- realwin_3a: 0042f770
- realwin_3b: 0042f670
- realwin_3c: 0042f9c0

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/realwin_3.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17025-3.zip (realwin_3.zip)

  nc SERVER 910 < realwin_3?.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

The part of the server listening on port 910 is vulnerable to a buffer
overflow happening during the handling of the
On_FC_RFUSER_FCS_LOGIN packet by the function 00437500 where the input
username is copied in a stack buffer of 44 bytes.

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/realwin_4.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17025-4.zip (realwin_4.zip)

  nc SERVER 910 < realwin_4.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

The part of the server listening on port 910 is vulnerable to some
buffer overflows happening during the handling of various
On_FC_BINFILE_FCS_*FILE packets in which is available a string
containing a filename used for performing some operations.
This filename is appended in a stack buffer of 256 bytes for building
the full path of a file through function 004275b0 causing the overflow.

The bugs are located in different functions but I have grouped them in
this same advisory because the format and the performed operations are
similar.

List of the vulnerable functions:
- realwin_5a: 0042f770
- realwin_5b: 0042f670
- realwin_5c: 0042f9c0 -> 0042f770
- realwin_5d: 00427790
- realwin_5e: 004280b0
- realwin_5f: 00427880

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/realwin_5.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17025-5.zip (realwin_5.zip)

  nc SERVER 910 < realwin_5?.dat

#######################################################################

Remote Integer Overflow:

======
Bug
======

The part of the server listening on port 910 is vulnerable to some
buffer overflows happening during the handling of the
On_FC_MISC_FCS_MSGBROADCAST and On_FC_MISC_FCS_MSGSEND packets where is
allocated an amount of memory equal to the 32bit size value provided by
the client plus 0x16 resulting in a heap overflow during the subsequent
copy of the input data.

The bugs are located in different functions but I have grouped them in
this same advisory because the format and the performed operations are
enough similar (the main difference is the presence of the 16bit value
at offset 0x12 of On_FC_MISC_FCS_MSGSEND).

List of the vulnerable functions:
- realwin_6a: 004326f0
- realwin_6b: 00432ae0

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/realwin_6.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17025-6.zip (realwin_6.zip)

  nc SERVER 910 < realwin_6?.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

The part of the server listening on port 910 is vulnerable to a buffer
overflow happening during the handling of the
On_FC_CGETTAG_FCS_GETTELEMETRY, On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY,
On_FC_CGETTAG_FCS_SETTELEMETRY and
On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY packets where the input string is
used for building a file path on a stack buffer of about 200 bytes:

  sprintf(
    stack_buffer,
    "C:\\Program Files\\DATAC\\Real.Win\\DemoRW-1.06\\\\realflex\\data\\crt\\fwd\\tel\\%s.tel",
    input_string);

Note that the bugs are located in different functions but I have
grouped them here because the format and the performed operations are
similar.

List of the vulnerable functions:
- realwin_7a: 00467050
- realwin_7b: 00467520
- realwin_7c: 00467860
- realwin_7d: 00467ce0

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/realwin_7.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17025-7.zip (realwin_7.zip)

  nc SERVER 910 < realwin_7?.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

The part of the server listening on port 910 is vulnerable to a buffer
overflow happening during the handling of the
On_FC_SCRIPT_FCS_STARTPROG packets by the function 00439620 where the
input string is copied in a stack buffer of about 4 kilobytes.

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/realwin_8.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17025-8.zip (realwin_8.zip)

  nc SERVER 910 < realwin_8.dat

#######################################################################

======
Fix
======

No fix.

#######################################################################