#######################################################################

                             Luigi Auriemma

Application:  InduSoft WebStudio
              http://www.indusoft.com
Versions:     <= 7.0 (Oct 2010)
Platforms:    Windows
Bug:          full file access in CEServer.exe
Exploitation: remote, versus server
Date:         probably found 15 Oct 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"InduSoft is HMI SCADA software for developing applications in
industrial, Instrumentation and Embedded Systems"


#######################################################################

======
2) Bug
======


CEServer.exe is the remote agent server running on port 4322.

The protocol is constituited by an 8 bit opcode (from 0x01 to 0x39)
followed by the data.
Note that the commands are not handled for their real size but simply
as they are read from recv().

Through the following opcodes is possible to read, write, overwrite
and delete any file in the disks or shared folders accessible by the
software:

- 0x01 string:
  write mode with the NULL delimited name of the file to open, both
  absolute and relative paths supported
- 0x02 32bit data:
  the write operation where the opcode is followed by a 32bit number
  that specifies the amount of bytes to write and the data
- 0x04 string:
  read mode, same format as 0x01
- 0x05:
  request the reading of the file from the current position
- 0x0c string:
  creates a text file using the section/parameter/value syntax, that
  can be used to create bat files.
  the dot used below stands for the tab char (0x09)
    filename.section_name.parameter.value
- 0x15 string:
  remove the specified filename

Note that also some other opcodes perform file operations but the above
ones are the most important and with direct access to the files.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://aluigi.org/poc/indusoft_3.zip

  udpsz -T 0xffffffff -f indusoft_3a.dat,indusoft_3b.dat,indusoft_3c.dat,indusoft_3d.dat -D SERVER 4322 -1

the proof-of-concept will create the file c:\evil.txt with the content
"hello" and will read it.


#######################################################################

======
4) Fix
======


http://www.zerodayinitiative.com/advisories/ZDI-11-330/


#######################################################################