####################################################################### Luigi Auriemma Application: Siemens Tecnomatix FactoryLink http://www.usdata.com/sea/FactoryLink/en/p_nav1.html http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml Versions: <= 8.0.1.1473 Platforms: Windows Bug: memory corruption Exploitation: remote, versus server Date: 21 Mar 2011 (found 02 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Siemens FactoryLink monitors, supervises, and controls industrial processes by enabling customers to perfect their processes and products. Built on an advanced open architecture, FactoryLink delivers the highest performance and flexibility to customers building vertical applications in a wide range of industries. Highly scaleable, FactoryLink can be used to build virtually any size application, from the simplest Human-Machine Interface (HMI) systems to the most complex and demanding Supervisory Control and Data Acquisition (SCADA) systems." ####################################################################### ====== 2) Bug ====== vrn.exe is a server listening on port 7579 when a project is started. There is a particular function used to parse the text fields located in the strings of the opcode 10. It copies the string delimited by a ';' or a space in the stack buffer provided by the callee function causing a stack overflow that allows a certain control on the code flow (for example the changing of the lower 8bit of the return address or another exception). ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/factorylink_3.zip nc SERVER 7579 < factorylink_3.dat ####################################################################### ====== 4) Fix ====== No fix. UPDATE 25 Mar 2011: version 802.82 #######################################################################