#######################################################################

                             Luigi Auriemma

Application:  DATAC RealWin
              http://www.dataconline.com/software/realwin.php
              http://www.realflex.com
Versions:     <= 2.1 (Build 6.1.10.10)
Platforms:    Windows
Bug:          integer overflow
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 25 Nov 2010)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"RealWin is a SCADA server package for medium / small applications."


#######################################################################

======
2) Bug
======


The part of the server listening on port 910 is vulnerable to some
buffer overflows happening during the handling of the
On_FC_MISC_FCS_MSGBROADCAST and On_FC_MISC_FCS_MSGSEND packets where is
allocated an amount of memory equal to the 32bit size value provided by
the client plus 0x16 resulting in a heap overflow during the subsequent
copy of the input data.

The bugs are located in different functions but I have grouped them in
this same advisory because the format and the performed operations are
enough similar (the main difference is the presence of the 16bit value
at offset 0x12 of On_FC_MISC_FCS_MSGSEND).

List of the vulnerable functions:
- realwin_6a: 004326f0
- realwin_6b: 00432ae0


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/realwin_6.zip

  nc SERVER 910 < realwin_6?.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################