ExploitFixes
7-Technologies IGSS 9.00.00.11059 Multiple Vulnerabilities 2011-03-22 15:15:13

Sources:
http://aluigi.org/adv/igss_1-adv.txt
http://aluigi.org/adv/igss_2-adv.txt
http://aluigi.org/adv/igss_3-adv.txt
http://aluigi.org/adv/igss_4-adv.txt
http://aluigi.org/adv/igss_5-adv.txt
http://aluigi.org/adv/igss_6-adv.txt
http://aluigi.org/adv/igss_7-adv.txt
http://aluigi.org/adv/igss_8-adv.txt

Advisory Archive: http://www.exploit-db.com/sploits/igss_adv.tar.gz
PoC Archive: http://www.exploit-db.com/sploits/igss_poc.tar.gz

#######################################################################

Luigi Auriemma

Application: IGSS (Interactive Graphical SCADA System)
http://www.igss.com
http://www.7t.dk
Versions: IGSSdataServer.exe <= 9.00.00.11063
Platforms: Windows
Date: 21 Mar 2011 (found 10 Jan 2011)
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org


#######################################################################

===============
Introduction
===============

IGSS (Interactive Graphical SCADA system) is a SCADA solution developed
by the 7-Technologies and used mainly in Denmark and US.

Informations from the vendor's website:
"IGSS is the complete automation software &ndash; a SCADA system for process
control and supervision - with a long row of releases since the start
of 7T 25 years ago.
At that time, 7T was the first company in the world to develop an
object oriented and mouse operated SCADA system under the name of
IGSS."


#######################################################################

Directory Traversal:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0xd is used for the file operations that cover creation,
reading, writing, deleting, renaming and so on.

The server is affected by a directory traversal that gives the attacker
the possibility of downloading (command 0x3) or uploading and
overwriting (0x2) any file on the disk where the software is installed.

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_1.zip
http://www.exploit-db.com/sploits/igss_1.zip

example for downloading c:\boot.ini:
nc SERVER 12401 < igss_1a.dat

example for writing/overwriting the file c:\evil.bat
nc SERVER 12401 < igss_1b.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0xd is used for the file operations that cover creation,
reading, writing, deleting, renaming and so on.

All the commands supported by this opcode except "FileReserve" (0x7)
are affected by different buffer overflow vulnerabilities caused by the
copying of the filename provided by the client in stack buffers of 256
bytes.

The following is the list of the copying functions for each command
(I don't remember the exact version from which I got them):

"ListAll" (0x1) 00406e91
"Write File" (0x2) 004071dd
"ReadFile" (0x3) 004072fd
"Delete" (0x4) 00406fad
"RenameFile" (0x5) 00407094 and 004070cf
"FileInfo" (0x6) 0040746f

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_2.zip
http://www.exploit-db.com/sploits/igss_2.zip

nc SERVER 12401 < igss_2a.dat
nc SERVER 12401 < igss_2b.dat
nc SERVER 12401 < igss_2c.dat
nc SERVER 12401 < igss_2d.dat
nc SERVER 12401 < igss_2e.dat
nc SERVER 12401 < igss_2f.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x7 is used for handling the RMS report templates and
through the "Add" command (0x4) is possible to exploit some buffer
overflows caused by the copying of the client strings in small stack
buffers:

00409B4F . 8D46 04 LEA EAX,DWORD PTR DS:[ESI+4] ; string from offset 0x16 of the packet
00409B52 . 8D5424 1A LEA EDX,DWORD PTR SS:[ESP+1A]
00409B56 . 83C4 0C ADD ESP,0C
00409B59 . 2BD0 SUB EDX,EAX
00409B5B . EB 03 JMP SHORT 00409B60
00409B5D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
00409B60 > 8A08 MOV CL,BYTE PTR DS:[EAX]
00409B62 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL
00409B65 . 40 INC EAX
00409B66 . 84C9 TEST CL,CL
00409B68 .^ 75 F6 JNZ SHORT 00409B60
00409B6A . 8A46 71 MOV AL,BYTE PTR DS:[ESI+71]
00409B6D . 884424 0D MOV BYTE PTR SS:[ESP+D],AL
00409B71 . 8D46 2C LEA EAX,DWORD PTR DS:[ESI+2C] ; from offset 0x3e
00409B74 . 8D5424 36 LEA EDX,DWORD PTR SS:[ESP+36]
00409B78 . 2BD0 SUB EDX,EAX
00409B7A . 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
00409B80 > 8A08 MOV CL,BYTE PTR DS:[EAX]
00409B82 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL
00409B85 . 40 INC EAX
00409B86 . 84C9 TEST CL,CL
00409B88 .^ 75 F6 JNZ SHORT 00409B80
00409B8A . 8D46 6C LEA EAX,DWORD PTR DS:[ESI+6C] ; from offset 0x7e
00409B8D . 8D5424 76 LEA EDX,DWORD PTR SS:[ESP+76]
00409B91 . 2BD0 SUB EDX,EAX
00409B93 > 8A08 MOV CL,BYTE PTR DS:[EAX]
00409B95 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL
00409B98 . 40 INC EAX
00409B99 . 84C9 TEST CL,CL
00409B9B .^ 75 F6 JNZ SHORT 00409B93

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_3.zip
http://www.exploit-db.com/sploits/igss_3.zip

nc SERVER 12401 < igss_3.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x7 is used for handling the RMS report templates and
through the "ReadFile" (0x6) and "Write File" (0x5) commands is
possible to exploit a buffer overflow caused by the building of a full
path string using a stack buffer of 256 bytes located on the caller
function:

0040F840 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
0040F844 |. 50 PUSH EAX
0040F845 |. 83C1 04 ADD ECX,4
0040F848 |. 51 PUSH ECX
0040F849 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040F84D |. 68 54A54300 PUSH 0043A554 ; "%s\%s.RMS"
0040F852 |. 51 PUSH ECX
0040F853 |. E8 120F0100 CALL 0042076A ; sprintf
0040F858 |. 83C4 10 ADD ESP,10
0040F85B \. C2 0800 RETN 8

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_4.zip
http://www.exploit-db.com/sploits/igss_4.zip

Proof-of-concept via "ReadFile":
nc SERVER 12401 < igss_4a.dat

Proof-of-concept via "Write File":
nc SERVER 12401 < igss_4b.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x7 is used for handling the RMS report templates and
after the parsing of the "Rename" (0x2), "Delete" (0x3) and "Add" (0x4)
commands it's called the function 0040F910 that builds the string to
place in RMS.DIC and that is vulnerable to a buffer overflow on a
stack buffer of about 512 bytes:

0040F9FE |. 8D0432 |LEA EAX,DWORD PTR DS:[EDX+ESI]
0040FA01 |. 8D48 6A |LEA ECX,DWORD PTR DS:[EAX+6A]
0040FA04 |. 51 |PUSH ECX
0040FA05 |. 8D50 2A |LEA EDX,DWORD PTR DS:[EAX+2A]
0040FA08 |. 52 |PUSH EDX
0040FA09 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1]
0040FA0D |. 8D48 02 |LEA ECX,DWORD PTR DS:[EAX+2]
0040FA10 |. 51 |PUSH ECX
0040FA11 |. 52 |PUSH EDX
0040FA12 |. 8D8424 24020000 |LEA EAX,DWORD PTR SS:[ESP+224]
0040FA19 |. 68 E0A54300 |PUSH 0043A5E0 ; "%d,%s,%s,%s"
0040FA1E |. 50 |PUSH EAX
0040FA1F |. E8 460D0100 |CALL 0042076A ; sprintf

#######################################################################

===========
The Code
===========

The following proof-of-concept exploits the vulnerability from the
"Rename" command, mainly because it's the only command not affected by
other vulnerabilities before the reaching of this bugged function:

http://aluigi.org/poc/igss_5.zip
http://www.exploit-db.com/sploits/igss_5.zip

nc SERVER 12401 < igss_5a.dat (will add the "old_name" template)
nc SERVER 12401 < igss_5b.dat

#######################################################################

Remote Format String:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The logging function Shmemmgr.logText that places messages in GSST.LOG
has a printf-like prototype but the function 0040cec0 that handles all
the internal logs doesn't provide the necessary format argument when
calls it:

0040CF5B |> 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0040CF5F |. 50 PUSH EAX
0040CF60 |. 57 PUSH EDI
0040CF61 |. 6A 0D PUSH 0D
0040CF63 |. 6A 01 PUSH 1
0040CF65 |. FF15 6C834300 CALL DWORD PTR DS:[<&Shmemmgr9.logText>] ; Shmemmgr.logText
...
005A55E6 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
005A55E9 . 51 PUSH ECX
005A55EA . 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
005A55ED . 52 PUSH EDX
005A55EE . 68 00280000 PUSH 2800
005A55F3 . 8D85 E8D7FFFF LEA EAX,DWORD PTR SS:[EBP-2818]
005A55F9 . 50 PUSH EAX
005A55FA . FF15 20026200 CALL DWORD PTR DS:[<&MSVCR90.vsprintf_s>] ; MSVCR90.vsprintf_s

Note that is not clear if this vulnerability is exploitable for code
execution.

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_6.zip
http://www.exploit-db.com/sploits/igss_6.zip

nc SERVER 12401 < igss_6.dat

#######################################################################

Remote Stack Overflow:

======
Bug
======

IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x8 is used for handling the STDREP requests and through the
command 0x4 is possible to exploit a buffer overflow caused by the
building of a SQL query using a stack buffer of 256 bytes:

0040A4B5 . 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
0040A4B8 . 8B48 16 MOV ECX,DWORD PTR DS:[EAX+16]
0040A4BB . 51 PUSH ECX
0040A4BC . 83C0 1A ADD EAX,1A
0040A4BF . 50 PUSH EAX
0040A4C0 . 68 7C984300 PUSH 0043987C ; "UPDATE ReportFormats SET RMSref={%s} WHERE (FormatID=%d)"
0040A4C5 . 8BD7 MOV EDX,EDI
0040A4C7 . 52 PUSH EDX
0040A4C8 . E8 9D620100 CALL 0042076A ; sprintf

Note that is not clear if this vulnerability is exploitable for code
execution.

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/igss_7.zip
http://www.exploit-db.com/sploits/igss_7.zip

nc SERVER 12401 < igss_7.dat

#######################################################################

Arbitrary Command Execution:

======
Bug
======

dc.exe is a server running on port 12397 active when the project is
started.

The opcodes 0xa and 0x17 are used for launching the executables located
in the folder of the software but through directory traversal is
possible to execute any arbitrary executable on the disk where is
located the software and specifying any argument for its execution.

#######################################################################

===========
The Code
===========


http://aluigi.org/poc/igss_8.zip
http://www.exploit-db.com/sploits/igss_8.zip

Two examples for executing calc.exe ("calc.exe arg1 arg2 arg3"):
nc SERVER 12397 < igss_8a.dat
nc SERVER 12397 < igss_8b.dat

#######################################################################

======
4) Fix
======

No fix.

#######################################################################