7T Interactive Graphical SCADA System Multiple Security Vulnerabilities

#######################################################################

                             Luigi Auriemma

Application:  IGSS (Interactive Graphical SCADA System)
              http://www.igss.com
              http://www.7t.dk
Versions:     IGSSdataServer.exe <= 9.00.00.11063
Platforms:    Windows
Bug:          format string
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 10 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


IGSS (Interactive Graphical SCADA system) is a SCADA solution developed
by the 7-Technologies and used mainly in Denmark and US.

Informations from the vendor's website:
"IGSS is the complete automation software &#65533; a SCADA system for process
control and supervision - with a long row of releases since the start
of 7T 25 years ago.
At that time, 7T was the first company in the world to develop an
object oriented and mouse operated SCADA system under the name of
IGSS."


#######################################################################

======
2) Bug
======


IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The logging function Shmemmgr.logText that places messages in GSST.LOG
has a printf-like prototype but the function 0040cec0 that handles all
the internal logs doesn't provide the necessary format argument when
calls it:

  0040CF5B  |>  8D4424 04     LEA EAX,DWORD PTR SS:[ESP+4]
  0040CF5F  |.  50            PUSH EAX
  0040CF60  |.  57            PUSH EDI
  0040CF61  |.  6A 0D         PUSH 0D
  0040CF63  |.  6A 01         PUSH 1
  0040CF65  |.  FF15 6C834300 CALL DWORD PTR DS:[<&Shmemmgr9.logText>]  ; Shmemmgr.logText
  ...
  005A55E6   .  8B4D EC       MOV ECX,DWORD PTR SS:[EBP-14]
  005A55E9   .  51            PUSH ECX
  005A55EA   .  8B55 14       MOV EDX,DWORD PTR SS:[EBP+14]
  005A55ED   .  52            PUSH EDX
  005A55EE   .  68 00280000   PUSH 2800
  005A55F3   .  8D85 E8D7FFFF LEA EAX,DWORD PTR SS:[EBP-2818]
  005A55F9   .  50            PUSH EAX
  005A55FA   .  FF15 20026200 CALL DWORD PTR DS:[<&MSVCR90.vsprintf_s>] ; MSVCR90.vsprintf_s

Note that is not clear if this vulnerability is exploitable for code
execution.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/igss_6.zip

  nc SERVER 12401 < igss_6.dat


#######################################################################

======
4) Fix
======


No fix.

UPDATE 24 Mar 2011:
version 11083


#######################################################################