####################################################################### Luigi Auriemma Application: IGSS (Interactive Graphical SCADA System) http://www.igss.com http://www.7t.dk Versions: IGSSdataServer.exe <= 9.00.00.11063 Platforms: Windows Bug: stack overflow Exploitation: remote, versus server Date: 21 Mar 2011 (found 10 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== IGSS (Interactive Graphical SCADA system) is a SCADA solution developed by the 7-Technologies and used mainly in Denmark and US. Informations from the vendor's website: "IGSS is the complete automation software – a SCADA system for process control and supervision - with a long row of releases since the start of 7T 25 years ago. At that time, 7T was the first company in the world to develop an object oriented and mouse operated SCADA system under the name of IGSS." ####################################################################### ====== 2) Bug ====== IGSSdataServer.exe is a server running on port 12401 active when the project is started. The opcode 0x7 is used for handling the RMS report templates and through the "Add" command (0x4) is possible to exploit some buffer overflows caused by the copying of the client strings in small stack buffers: 00409B4F . 8D46 04 LEA EAX,DWORD PTR DS:[ESI+4] ; string from offset 0x16 of the packet 00409B52 . 8D5424 1A LEA EDX,DWORD PTR SS:[ESP+1A] 00409B56 . 83C4 0C ADD ESP,0C 00409B59 . 2BD0 SUB EDX,EAX 00409B5B . EB 03 JMP SHORT 00409B60 00409B5D 8D49 00 LEA ECX,DWORD PTR DS:[ECX] 00409B60 > 8A08 MOV CL,BYTE PTR DS:[EAX] 00409B62 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL 00409B65 . 40 INC EAX 00409B66 . 84C9 TEST CL,CL 00409B68 .^ 75 F6 JNZ SHORT 00409B60 00409B6A . 8A46 71 MOV AL,BYTE PTR DS:[ESI+71] 00409B6D . 884424 0D MOV BYTE PTR SS:[ESP+D],AL 00409B71 . 8D46 2C LEA EAX,DWORD PTR DS:[ESI+2C] ; from offset 0x3e 00409B74 . 8D5424 36 LEA EDX,DWORD PTR SS:[ESP+36] 00409B78 . 2BD0 SUB EDX,EAX 00409B7A . 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX] 00409B80 > 8A08 MOV CL,BYTE PTR DS:[EAX] 00409B82 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL 00409B85 . 40 INC EAX 00409B86 . 84C9 TEST CL,CL 00409B88 .^ 75 F6 JNZ SHORT 00409B80 00409B8A . 8D46 6C LEA EAX,DWORD PTR DS:[ESI+6C] ; from offset 0x7e 00409B8D . 8D5424 76 LEA EDX,DWORD PTR SS:[ESP+76] 00409B91 . 2BD0 SUB EDX,EAX 00409B93 > 8A08 MOV CL,BYTE PTR DS:[EAX] 00409B95 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL 00409B98 . 40 INC EAX 00409B99 . 84C9 TEST CL,CL 00409B9B .^ 75 F6 JNZ SHORT 00409B93 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/igss_3.zip nc SERVER 12401 < igss_3.dat ####################################################################### ====== 4) Fix ====== No fix. UPDATE 24 Mar 2011: version 11083 #######################################################################