####################################################################### Luigi Auriemma Application: Microsys PROMOTIC http://www.promotic.eu/en/promotic/scada-pm.htm Versions: <= 8.1.4 Platforms: Windows Bug: use-after-free Exploitation: file Date: 28 Nov 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "PROMOTIC is a complex SCADA object software tool for creating applications that monitor, control and display technological processes in various industrial areas." ####################################################################### ====== 2) Bug ====== There is an use-after-free vulnerability exploitable when the program terminates due to an error in the loading of a project. For example if the project with the PRA registered extension isn't valid then there will be the possibility to execute code during the automatic closing of the software where are freed all the allocated resources. From PmTool0: 0038A2CD MOV ECX, DWORD PTR [EDX+8] 0038A2D0 CALL ECX ; possible code execution ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/promotic_3.zip The file is just one of the example files provided with the software in which I modified only one byte at offset 0x1dc0. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################