ExploitFixes
Iconics GENESIS32 and GENESIS64 Multiple Vulnerabilities 2011-03-22 15:15:13

Sources:
http://aluigi.org/adv/genesis_1-adv.txt
http://aluigi.org/adv/genesis_2-adv.txt
http://aluigi.org/adv/genesis_3-adv.txt
http://aluigi.org/adv/genesis_4-adv.txt
http://aluigi.org/adv/genesis_5-adv.txt
http://aluigi.org/adv/genesis_6-adv.txt
http://aluigi.org/adv/genesis_7-adv.txt
http://aluigi.org/adv/genesis_8-adv.txt
http://aluigi.org/adv/genesis_9-adv.txt
http://aluigi.org/adv/genesis_10-adv.txt
http://aluigi.org/adv/genesis_11-adv.txt
http://aluigi.org/adv/genesis_12-adv.txt
http://aluigi.org/adv/genesis_13-adv.txt

Advisory Archive: http://www.exploit-db.com/sploits/iconics_genesis_adv.tar.gz
PoC Archive: http://www.exploit-db.com/sploits/iconics_genesis_poc.tar.gz

#######################################################################

Luigi Auriemma

Application: Iconics GENESIS32 and GENESIS64
http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS32.aspx
http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS64.aspx
Versions: GENESIS32 <= 9.21
GENESIS64 <= 10.51
GenBroker.exe and GenBroker64.exe are the same version on
both the softwares: 9.21.201.01
Date: 21 Mar 2011 (found 08 Jan 2011)
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

===============
1) Introduction
===============

Iconics Genesis is a SCADA HMI solution used worldwide with customers
that go from Beijing Traffic Control Center to the Pentagon and even
Poste Italiane ("Case Studies" source).

Informations from the vendor's website:
"GENESIS32&trade; is the industry&rsquo;s first and only fully scalable suite of
OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications."

#######################################################################

Freeing of Arbitrary Memory:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by multiple freeing of initialized memory
pointers and arbitrary locations because:
- the functions that store the strings pointers read from the client
automatically break the reading loop when the end of the packet is
reached
- these functions use malloc instead of calloc so the memory is not
cleared
- the functions that free the arrays don't know if and when the reading
process stopped and so they call free() over all the elements
specified by the attacker in his packet

The exploitability of these vulnerabilities depends by how the attacker
has corrupted the memory for forcing the freeing of arbitrary locations
through the sending of valid packets before the malformed one.
The service is multi-thread so there are many chances of exploitation.

The following is the full list of vulnerable opcodes and the read/free
functions to monitor (referred to version 9.2):

1) opcode 0x4b0:
read loop: 0044ACC0 and 0044AD04
free loop: 004446B0

2) opcode 0x4b2:
read loop: 0044B360
free loop: 004428F0

3) opcode 0x4b5:
read loop: 0044C560
free loop: 00443090

4) function 0044C6B0 used by opcodes 0xDAE and 0xDB0.
read loop: 0044c800
free loop: 00443160

5) opcodes 0x1BBC and 0x1BBD:
read loop: 0044ca90
free loop: 004432a0

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_1.zip
http://www.exploit-db.com/sploits/genesis_1.zip

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcodes 3f0, 138F,1390,1391,1392,1393,
1394, 1C86, 89a,89b, 450,451,454,455, 1C20,1C24 that make use of the
function 0044d1c0.

The problem is caused by the allocation of the memory needed for the
creation of an array trusting the number of elements passed by the
client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
the format of the packets depend by the relative opcodes, the
function 0044d1c0 reads a 32bit before the one used for the
allocation.

Vulnerable code:
0044D2A2 |. E8 C99EFCFF CALL 00417170 ; get 32bit
0044D2A7 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
0044D2AB |. 50 PUSH EAX
0044D2AC |. 8BCE MOV ECX,ESI
0044D2AE |. E8 BD9EFCFF CALL 00417170
0044D2B3 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0044D2B7 |. 8D14CD 000000>LEA EDX,DWORD PTR DS:[ECX*8] ; * 8
0044D2BE |. 52 PUSH EDX
0044D2BF |. E8 F49E0500 CALL <JMP.&MFC71U.#265> ; malloc


#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 1 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x453 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
string
string
string
string
32
32
32
16
32
32
32 malloc(x * 4)

Vulnerable code:
0044BEB5 |. E8 B6B2FCFF CALL 00417170 ; get 32bit
0044BEBA |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
0044BEBC |. 3BC5 CMP EAX,EBP
0044BEBE |. 76 56 JBE SHORT 0044BF16
0044BEC0 |. C1E0 02 SHL EAX,2 ; * 4
0044BEC3 |. 50 PUSH EAX
0044BEC4 |. FF15 98FA8400 CALL DWORD PTR DS:[<&MSVCR71.malloc>] ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 2 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by three integer overflow vulnerabilities
during the handling of the opcode 0x4b0 caused by the allocation of the
memory needed for the creation of some arrays trusting the numbers of
elements passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
string
string
32
32
32
32
32
32
32
32
32 malloc(x * 4)
...
32 malloc(x * 4)
...
32 malloc(x * 4)

Vulnerable code:
0044AC26 |. E8 45C5FCFF CALL 00417170 ; get 32bit
0044AC2B |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
0044AC2E |. C1E0 02 SHL EAX,2 ; * 4
0044AC31 |. 50 PUSH EAX
0044AC32 |. E8 81C50500 CALL <JMP.&MFC71U.#265> ; malloc
...
0044AC95 |. 8B47 28 MOV EAX,DWORD PTR DS:[EDI+28]
0044AC98 |. C1E0 02 SHL EAX,2 ; * 4
0044AC9B |. 50 PUSH EAX
0044AC9C |. C74424 20 020>MOV DWORD PTR SS:[ESP+20],2
0044ACA4 |. E8 0FC50500 CALL <JMP.&MFC71U.#265> ; malloc
...
0044ACE9 |> 8B47 30 MOV EAX,DWORD PTR DS:[EDI+30]
0044ACEC |. C1E0 02 SHL EAX,2 ; * 4
0044ACEF |. 50 PUSH EAX
0044ACF0 |. E8 C3C40500 CALL <JMP.&MFC71U.#265> ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 3 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======


GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x4b2 caused by the allocation of the memory
needed for the creation of some arrays trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
32 malloc(x * 4)

Vulnerable code:
0044B2E9 |. 8B17 MOV EDX,DWORD PTR DS:[EDI] ; get 32bit
0044B2EB |. C1E2 02 SHL EDX,2 ; * 4
0044B2EE |. 52 PUSH EDX
0044B2EF |. 8947 08 MOV DWORD PTR DS:[EDI+8],EAX
0044B2F2 |. E8 C1BE0500 CALL <JMP.&MFC71U.#265> ; malloc
0044B2F7 |. 8947 0C MOV DWORD PTR DS:[EDI+C],EAX
0044B2FA |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0044B2FC |. C1E0 02 SHL EAX,2 ; * 4
0044B2FF |. 50 PUSH EAX
0044B300 |. E8 B3BE0500 CALL <JMP.&MFC71U.#265> ; malloc
0044B305 |. 8B0F MOV ECX,DWORD PTR DS:[EDI]
0044B307 |. C1E1 03 SHL ECX,3 ; * 8
0044B30A |. 51 PUSH ECX
0044B30B |. 8947 10 MOV DWORD PTR DS:[EDI+10],EAX
0044B30E |. E8 A5BE0500 CALL <JMP.&MFC71U.#265> ; malloc
0044B313 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
0044B315 |. C1E2 02 SHL EDX,2 ; * 4
0044B318 |. 52 PUSH EDX
0044B319 |. 8947 14 MOV DWORD PTR DS:[EDI+14],EAX
0044B31C |. E8 97BE0500 CALL <JMP.&MFC71U.#265> ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 4 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x4b5 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
string
string
32
32
32 malloc(x * 4)

Vulnerable code:
0044C538 |. E8 33ACFCFF CALL 00417170 ; get 32bit
0044C53D |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
0044C540 |. 85C0 TEST EAX,EAX
0044C542 |. 76 6C JBE SHORT 0044C5B0
0044C544 |. 8D1485 000000>LEA EDX,DWORD PTR DS:[EAX*4] ; * 4
0044C54B |. 52 PUSH EDX
0044C54C |. FF15 C0FF8400 CALL DWORD PTR DS:[<&ole32.CoTaskMemAlloc>] ; ole32.CoTaskMemAlloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 5 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x7d0 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
string
string
string
32
32 malloc(x * 4)

Vulnerable code:
0044A44C |. E8 1FCDFCFF CALL 00417170 ; get 32bit
0044A451 |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
0044A453 |. 85C0 TEST EAX,EAX
0044A455 |.^ 74 C2 JE SHORT 0044A419
0044A457 |. 8D0C85 000000>LEA ECX,DWORD PTR DS:[EAX*4] ; * 4
0044A45E |. 51 PUSH ECX
0044A45F |. E8 54CD0500 CALL <JMP.&MFC71U.#265> ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 6 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcodes 0xdae and 0xdb0 that make use of the function
0044C6B0 caused by the allocation of the memory needed for the creation
of an array trusting the number of elements passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Vulnerable code:
0044C7C8 |. E8 A3A9FCFF CALL 00417170 ; get 32bit
0044C7CD |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0044C7CF |. 85C0 TEST EAX,EAX
0044C7D1 |.^ 74 C5 JE SHORT 0044C798
0044C7D3 |. C1E0 02 SHL EAX,2 ; * 4
0044C7D6 |. 50 PUSH EAX
0044C7D7 |. E8 DCA90500 CALL <JMP.&MFC71U.#265> ; malloc
0044C7DC |. 8B0F MOV ECX,DWORD PTR DS:[EDI]
0044C7DE |. C1E1 02 SHL ECX,2 ; * 4
0044C7E1 |. 51 PUSH ECX
0044C7E2 |. 8947 04 MOV DWORD PTR DS:[EDI+4],EAX
0044C7E5 |. E8 CEA90500 CALL <JMP.&MFC71U.#265> ; malloc

#######################################################################

Remote Integer Overflow:

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 7 SERVER

#######################################################################

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0xfa4 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
32 malloc(x * 8)

Vulnerable code:
0044495D |. E8 0E28FDFF CALL 00417170 ; get 32bit
00444962 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
00444964 |. 3BC5 CMP EAX,EBP
00444966 |.^ 76 C7 JBE SHORT 0044492F
00444968 |. 8D14C5 000000>LEA EDX,DWORD PTR DS:[EAX*8] ; * 8
0044496F |. 52 PUSH EDX
00444970 |. E8 43280600 CALL <JMP.&MFC71U.#265> ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 8 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0xfa7 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
32 malloc(x * 4)

Vulnerable code:
00444B0D |. E8 5E26FDFF CALL 00417170 ; get 32bit
00444B12 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
00444B14 |. 85C0 TEST EAX,EAX
00444B16 |.^ 76 C1 JBE SHORT 00444AD9
00444B18 |. 8D1485 000000>LEA EDX,DWORD PTR DS:[EAX*4] ; * 4
00444B1F |. 52 PUSH EDX
00444B20 |. E8 93260600 CALL <JMP.&MFC71U.#265> ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 9 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcodes 0x1BBC and 0x1BBD caused by the allocation of
the memory needed for the creation of an array trusting the number of
elements passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
string
string
32
string
string
string
32 malloc(x * 4)

Vulnerable code:
0044CA69 |. E8 02A7FCFF CALL 00417170 ; get 32bit
0044CA6E |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
0044CA70 |. 85C0 TEST EAX,EAX
0044CA72 |. 76 6C JBE SHORT 0044CAE0
0044CA74 |. C1E0 02 SHL EAX,2 ; * 4
0044CA77 |. 50 PUSH EAX
0044CA78 |. E8 3BA70500 CALL <JMP.&MFC71U.#265> ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 10 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected an integer overflow vulnerability during the
handling of the opcode 0x1C84 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
string
string
32
32 malloc(x * 16)

Vulnerable code:
0044CBE2 |. E8 89A5FCFF CALL 00417170 ; get 32bit
0044CBE7 |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
0044CBE9 |. 3BC5 CMP EAX,EBP
0044CBEB |. 76 3C JBE SHORT 0044CC29
0044CBED |. C1E0 04 SHL EAX,4 ; * 16
0044CBF0 |. 50 PUSH EAX
0044CBF1 |. E8 C2A50500 CALL <JMP.&MFC71U.#265> ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 11 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x26ac caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
32 malloc(x * 4)

Vulnerable code:
00445AC7 |. E8 A416FDFF CALL 00417170 ; get 32bit
00445ACC |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
00445ACE |. 85C0 TEST EAX,EAX
00445AD0 |.^ 76 BE JBE SHORT 00445A90
00445AD2 |. 8D1485 000000>LEA EDX,DWORD PTR DS:[EAX*4] ; * 4
00445AD9 |. 52 PUSH EDX
00445ADA |. E8 D9160600 CALL <JMP.&MFC71U.#265> ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
http://www.exploit-db.com/sploits/genesis_iof.zip

genesis_iof 12 SERVER

#######################################################################

======
4) Fix
======

No fix.

#######################################################################