DATAC RealWin <= 2.1 (Build 6.1.10.10) integer overflow

2011-04-06 / 2011-04-07
Risk: High
Local: No
Remote: Yes
CWE: CWE-189


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

####################################################################### Luigi Auriemma Application: DATAC RealWin http://www.dataconline.com/software/realwin.php http://www.realflex.com Versions: <= 2.1 (Build 6.1.10.10) Platforms: Windows Bug: integer overflow Exploitation: remote, versus server Date: 21 Mar 2011 (found 25 Nov 2010) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "RealWin is a SCADA server package for medium / small applications." ####################################################################### ====== 2) Bug ====== The part of the server listening on port 910 is vulnerable to some buffer overflows happening during the handling of the On_FC_MISC_FCS_MSGBROADCAST and On_FC_MISC_FCS_MSGSEND packets where is allocated an amount of memory equal to the 32bit size value provided by the client plus 0x16 resulting in a heap overflow during the subsequent copy of the input data. The bugs are located in different functions but I have grouped them in this same advisory because the format and the performed operations are enough similar (the main difference is the presence of the 16bit value at offset 0x12 of On_FC_MISC_FCS_MSGSEND). List of the vulnerable functions: - realwin_6a: 004326f0 - realwin_6b: 00432ae0 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/realwin_6.zip nc SERVER 910 < realwin_6?.dat ####################################################################### ====== 4) Fix ====== No fix. #######################################################################

References:

http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-04.pdf
http://www.vupen.com/english/advisories/2011/0742
http://www.securityfocus.com/bid/46937
http://www.exploit-db.com/exploits/17025
http://secunia.com/advisories/43848
http://aluigi.org/adv/realwin_6-adv.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top