####################################################################### Luigi Auriemma Application: IGSS (Interactive Graphical SCADA System) http://www.igss.com http://www.7t.dk Versions: IGSSdataServer.exe <= 9.00.00.11063 Platforms: Windows Bug: directory traversal Exploitation: remote, versus server Date: 21 Mar 2011 (found 10 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== IGSS (Interactive Graphical SCADA system) is a SCADA solution developed by the 7-Technologies and used mainly in Denmark and US. Informations from the vendor's website: "IGSS is the complete automation software – a SCADA system for process control and supervision - with a long row of releases since the start of 7T 25 years ago. At that time, 7T was the first company in the world to develop an object oriented and mouse operated SCADA system under the name of IGSS." ####################################################################### ====== 2) Bug ====== IGSSdataServer.exe is a server running on port 12401 active when the project is started. The opcode 0xd is used for the file operations that cover creation, reading, writing, deleting, renaming and so on. The server is affected by a directory traversal that gives the attacker the possibility of downloading (command 0x3) or uploading and overwriting (0x2) any file on the disk where the software is installed. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/igss_1.zip example for downloading c:\boot.ini: nc SERVER 12401 < igss_1a.dat example for writing/overwriting the file c:\evil.bat nc SERVER 12401 < igss_1b.dat ####################################################################### ====== 4) Fix ====== No fix. UPDATE 24 Mar 2011: version 11083 #######################################################################