####################################################################### Luigi Auriemma Application: DATAC RealWin http://www.dataconline.com/software/realwin.php http://www.realflex.com Versions: <= 2.1 (Build 6.1.10.10) Platforms: Windows Bug: integer overflow Exploitation: remote, versus server Date: 21 Mar 2011 (found 25 Nov 2010) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "RealWin is a SCADA server package for medium / small applications." ####################################################################### ====== 2) Bug ====== The part of the server listening on port 910 is vulnerable to some buffer overflows happening during the handling of the On_FC_MISC_FCS_MSGBROADCAST and On_FC_MISC_FCS_MSGSEND packets where is allocated an amount of memory equal to the 32bit size value provided by the client plus 0x16 resulting in a heap overflow during the subsequent copy of the input data. The bugs are located in different functions but I have grouped them in this same advisory because the format and the performed operations are enough similar (the main difference is the presence of the 16bit value at offset 0x12 of On_FC_MISC_FCS_MSGSEND). List of the vulnerable functions: - realwin_6a: 004326f0 - realwin_6b: 00432ae0 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/realwin_6.zip nc SERVER 910 < realwin_6?.dat ####################################################################### ====== 4) Fix ====== No fix. #######################################################################