#######################################################################

                             Luigi Auriemma

Application:  IGSS (Interactive Graphical SCADA System)
              http://www.igss.com
              http://www.7t.dk
Versions:     IGSSdataServer.exe <= 9.00.00.11063
Platforms:    Windows
Bug:          stack overflows
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 10 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


IGSS (Interactive Graphical SCADA system) is a SCADA solution developed
by the 7-Technologies and used mainly in Denmark and US.

Informations from the vendor's website:
"IGSS is the complete automation software – a SCADA system for process
control and supervision - with a long row of releases since the start
of 7T 25 years ago.
At that time, 7T was the first company in the world to develop an
object oriented and mouse operated SCADA system under the name of
IGSS."


#######################################################################

======
2) Bug
======


IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x7 is used for handling the RMS report templates and
after the parsing of the "Rename" (0x2), "Delete" (0x3) and "Add" (0x4)
commands it's called the function 0040F910 that builds the string to
place in RMS.DIC and that is vulnerable to a buffer overflow on a
stack buffer of about 512 bytes:

  0040F9FE  |.  8D0432            |LEA EAX,DWORD PTR DS:[EDX+ESI]
  0040FA01  |.  8D48 6A           |LEA ECX,DWORD PTR DS:[EAX+6A]
  0040FA04  |.  51                |PUSH ECX
  0040FA05  |.  8D50 2A           |LEA EDX,DWORD PTR DS:[EAX+2A]
  0040FA08  |.  52                |PUSH EDX
  0040FA09  |.  0FB650 01         |MOVZX EDX,BYTE PTR DS:[EAX+1]
  0040FA0D  |.  8D48 02           |LEA ECX,DWORD PTR DS:[EAX+2]
  0040FA10  |.  51                |PUSH ECX
  0040FA11  |.  52                |PUSH EDX
  0040FA12  |.  8D8424 24020000   |LEA EAX,DWORD PTR SS:[ESP+224]
  0040FA19  |.  68 E0A54300       |PUSH 0043A5E0                  ; "%d,%s,%s,%s"
  0040FA1E  |.  50                |PUSH EAX
  0040FA1F  |.  E8 460D0100       |CALL 0042076A                  ; sprintf


#######################################################################

===========
3) The Code
===========


The following proof-of-concept exploits the vulnerability from the
"Rename" command, mainly because it's the only command not affected by
other vulnerabilities before the reaching of this bugged function:

http://aluigi.org/poc/igss_5.zip

  nc SERVER 12401 < igss_5a.dat   (will add the "old_name" template)
  nc SERVER 12401 < igss_5b.dat


#######################################################################

======
4) Fix
======


No fix.

UPDATE 24 Mar 2011:
version 11083


#######################################################################