####################################################################### Luigi Auriemma Application: Beckhoff TwinCAT http://www.beckhoff.de/twincat/ Versions: TCatScopeView <= 2.9.0 (Build 226) Platforms: Windows Bug: integer overflow Exploitation: file Date: 02 Mar 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "The Beckhoff TwinCAT software system turns almost any compatible PC into a real-time controller with a multi-PLC system, NC axis control, programming environment and operating station." ####################################################################### ====== 2) Bug ====== TCatScopeView is an application that opens the files with the SVW and SCP registered extensions. Exists an integer overflow during the allocation of some memory where gets trusted a 32bit value provided in the file, multiplicated by 16 and then filled with the subsequent data available in the file till its end, so the overflow is enough controlled (but it doesn't look much reliable in my opinion). --- As side note there is an interesting but not (much) exploitable vulnerability in the handling of the WSM files opened by TCatSysManager.exe: 007D26FA 396C24 28 CMP DWORD PTR SS:[ESP+28],EBP 007D26FE 896C24 1C MOV DWORD PTR SS:[ESP+1C],EBP 007D2702 0F8E F9020000 JLE TCatSysM.007D2A01 ... 007D2A8E . 396C24 20 CMP DWORD PTR SS:[ESP+20],EBP 007D2A92 . 8987 48030000 MOV DWORD PTR DS:[EDI+348],EAX 007D2A98 . 7E 27 JLE SHORT TCatSysM.007D2AC1 007D2A9A . 8B6C24 20 MOV EBP,DWORD PTR SS:[ESP+20] 007D2A9E . 8D9F 94000000 LEA EBX,DWORD PTR DS:[EDI+94] 007D2AA4 > 833B 00 CMP DWORD PTR DS:[EBX],0 007D2AA7 . 74 0C JE SHORT TCatSysM.007D2AB5 007D2AA9 . 8B0B MOV ECX,DWORD PTR DS:[EBX] 007D2AAB . 8B11 MOV EDX,DWORD PTR DS:[ECX] 007D2AAD . 8B82 14020000 MOV EAX,DWORD PTR DS:[EDX+214] 007D2AB3 . FFD0 CALL EAX 007D2AB5 > 83C3 04 ADD EBX,4 007D2AB8 . 83ED 01 SUB EBP,1 007D2ABB .^75 E7 JNZ SHORT TCatSysM.007D2AA4 The result is EIP pointing to 0x25ff00ad (a 32bit integer taken from the .text section of the executabl) so without the possibility of allocating and filling memory there is no way to exploit this bug, at least for the moment. Reported just for "curiosity", maybe can be an interesting case study. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/twincat_2.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################