####################################################################### Luigi Auriemma Application: Siemens Automation License Manager http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&objid=10805384&treeLang=en Versions: <= 500.0.122.1 Platforms: Windows Bugs: A] Service *_licensekey serialid code execution B] Service exceptions C] Service NULL pointer D] almaxcx.dll files overwriting Exploitation: remote Date: 28 Nov 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Siemens Automation License Manager is the system used by Siemens for handling the remote and local licenses of its HMI, SCADA and industrial products. This service is available in most of the products and it's necessary to their usage. ####################################################################### ======= 2) Bugs ======= -------------------------------------------- Service *_licensekey serialid code execution -------------------------------------------- Buffer overflow in the handling of the serialid field used in the various *_licensekey commands that share the same function for parsing the parameters. The vulnerability leads to code execution: 011C7D96 8B01 MOV EAX,DWORD PTR DS:[ECX] 011C7D98 8B10 MOV EDX,DWORD PTR DS:[EAX] ; controlled 011C7D9A 6A 01 PUSH 1 011C7D9C FFD2 CALL EDX --------------------- B] Service exceptions --------------------- Some long fields can be used to raise an exception: The exception unknown software exception (0xc0000417) occurred in the application at location 0x????????. The exception is caused by the usage of wcscpy_s in some functions that copy the values passed by the client into stack buffers. This is what happens with open_session->workstation->NAME (function 00412060) or grant->VERSION and so on. Note that in some systems the exception doesn't lead to a direct Denial of Service (except the resources for the thread left active). ----------------------- C] Service NULL pointer ----------------------- NULL pointer dereference in the handling of the get_target_ocx_param and send_target_ocx_param commands. Note that in some systems the exception doesn't lead to a direct Denial of Service (except the resources for the thread left active). -------------------------------- D] almaxcx.dll files overwriting -------------------------------- The almaxcx.dll ActiveX component (ALMListView.ALMListCtrl E57AF4A2-EF57-41D0-8512-FECDA78F1FE7) has a Save method that allows to specify an arbitrary filename to save. The effect is the overwriting of any file with this empty one (just 2 bytes "\r\n"). Note that I can't exclude the possibility of controlling the content of the saved file allowing code execution, indeed I didn't test the component deeper to check this hypothesis so it remains open and who has more experience than me with this component can confirm it or not. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/almsrvx_1.zip A] almsrvx_1 almsrvx_1a.dat SERVER B] almsrvx_1 almsrvx_1b1.dat SERVER almsrvx_1 almsrvx_1b2.dat SERVER C] almsrvx_1 almsrvx_1c.dat SERVER D] almsrvx_1d.htm ####################################################################### ====== 4) Fix ====== No fix. #######################################################################