Summary stratsec has identified a remote stack overflow vulnerability within the Procyon Core Server HMI service. The vulnerability can be triggered by sending a specially crafted request to port 23. This vulnerability can lead directly to remote code execution running with the elevated privileges of the service. Failed attempts will likely lead to a denial of service condition. Description Procyon Core HMI Server is a low cost but flexible software package suitable for simple HMI through to SCADA and large scale DCS systems that is compatible with all Data Track Process Instrument products. During installation, the server installs itself as a Windows service and automatically recovers if the service crashes. Due to the fact that it is running as a Windows service, code executed by the service executes with SYSTEM privileges. Impact A remote attacker could perform remote code execution with elevated privileges against an exposed vulnerable version of Procyon Core server. The impact is likely to depend on the vulnerable environment and its use of the software. Technical Details The memory corruption vulnerability is within the ‘Coreservice.exe’ process that allows an attacker to perform an arbitrary read and write operation. This vulnerability can be leveraged to trigger a stack based buffer overflow. This vulnerability allows remote attackers to execute arbitrary code via a long password request to TCP port 23 of the affected server. 00475DD7 mov eax, [eax+edx*4-4] ; initially, the attacker has control over EAX and EDX 00475DDB lea edx, [ebp+var_4D] 00475DDE call sub_40A288 An arithmetic calculation is completed on EAX and EDX to determine the destination address for the following copy operation. sub_40A288: 0040A288 push edi 0040A289 push esi 0040A28A mov esi, eax 0040A28C mov edi, edx 0040A28E mov ecx, 0FFFFFFFFh 0040A293 xor al, al 0040A295 repne scasb ; a fixed sized buffer of 52 bytes 0040A297 not ecx 0040A299 mov edi, esi 0040A29B mov esi, edx 0040A29D mov edx, ecx 0040A29F mov eax, edi 0040A2A1 sh ecx, 2 0040A2A4 rep movsd ; stack overflow is here 0040A2A6 mov ecx, edx 0040A2A8 and ecx, 3 0040A2AB rep movsb Affected products Procyon Core Server v1.06 has been confirmed vulnerable. Other versions before 1.14 are also likely to be affected. Proof of concept A commercial grade Proof of Concept (PoC) exploit has been developed and can be found in Metasploit’s repository: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/scada/procyon_core_server.rb Solution Upgrade to Procyon Core Server version 1.14. This version has not been independently tested by stratsec. Response timeline 19/07/2011 - Vendor notified. 19/07/2011 - Vendor acknowledges receipt of advisory. 19/07/2011 - The vendor confirms issue presence and identifies a third party security company, Nsense, who had also independently discovered and notified them of the vulnerability one month prior. 20/07/2011 - stratsec contacts Nsense’s research team to plan a coordinated release. 20/07/2011 - stratsec contacts The US Department of Homeland Security ICS-CERT for confirmation of the vulnerability. 20/07/2011 - Nsense agree to execute a coordinated release. 21/07/2011 - ICS-CERT co-ordinate a 30 day patch release directly with the vendor. 01/09/2011 - ICS-CERT notify Nsense that the planned release date of the advisory is 6 September 2011. 06/09/2011 - ICS-CERT releases the advisory to the public. 08/09/2011 - This advisory published. Acknowledgments stratsec would like to thank the Nsense Security Research Team (http://nsense.dk/) for their collaborative efforts and professionalism. References ICS-CERT advisory: http://www.uscert.gov/control_systems/pdf/ICSA-11-216-01.pdf CVE item: CVE-2011-3322