Reference for a vulnerability in atvise server 2.0.0.3291
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

This note acts only as a quick and historical reference for a
vulnerability I found various months ago (about April/May 2011) in the
SCADA software atvise (http://www.atvise.com), exactly in version
2.0.0.3291.
I delayed its publishing due to some missing details about the problem
and about the possibility of controlling the resulting code execution.

The developers found and fixed it autonomously but I don't know when
and in what exact version.

Reproducing the problem:

  http://aluigi.org/testz/udpsz.zip
  http://aluigi.org/poc/atvise_1.dat

  udpsz -f atvise_1.dat -T -l 500 -X 0x89 16 l 0x1b0 SERVER 4840 -1

Leave it running till the crashing of the server in less than one
minute.
In some rare cases the problem could happen when the server gets
stopped or restarted.

atvise_1.dat is just a normal connection dump without modifications.

No additional research has been performed and no other details are
available.