####################################################################### Luigi Auriemma Application: Iconics GENESIS32 and GENESIS64 http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS32.aspx http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS64.aspx Versions: GENESIS32 <= 9.21 GENESIS64 <= 10.51 GenBroker.exe and GenBroker64.exe are the same version on both the softwares: 9.21.201.01 Platforms: Windows Bug: freeing of arbitrary or unitialized memory Exploitation: remote, versus server Date: 21 Mar 2011 (found 08 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Iconics Genesis is a SCADA HMI solution used worldwide with customers that go from Beijing Traffic Control Center to the Pentagon and even Poste Italiane ("Case Studies" source). Informations from the vendor's website: "GENESIS32™ is the industry’s first and only fully scalable suite of OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications." ####################################################################### ====== 2) Bug ====== GenBroker is a Windows service running on port 38080. The addresses and code snippets reported here are referred to GENESIS32 9.2. The service is affected by multiple freeing of initialized memory pointers and arbitrary locations because: - the functions that store the strings pointers read from the client automatically break the reading loop when the end of the packet is reached - these functions use malloc instead of calloc so the memory is not cleared - the functions that free the arrays don't know if and when the reading process stopped and so they call free() over all the elements specified by the attacker in his packet The exploitability of these vulnerabilities depends by how the attacker has corrupted the memory for forcing the freeing of arbitrary locations through the sending of valid packets before the malformed one. The service is multi-thread so there are many chances of exploitation. The following is the full list of vulnerable opcodes and the read/free functions to monitor (referred to version 9.2): 1) opcode 0x4b0: read loop: 0044ACC0 and 0044AD04 free loop: 004446B0 2) opcode 0x4b2: read loop: 0044B360 free loop: 004428F0 3) opcode 0x4b5: read loop: 0044C560 free loop: 00443090 4) function 0044C6B0 used by opcodes 0xDAE and 0xDB0. read loop: 0044c800 free loop: 00443160 5) opcodes 0x1BBC and 0x1BBD: read loop: 0044ca90 free loop: 004432a0 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/genesis_1.zip ####################################################################### ====== 4) Fix ====== No fix. UPDATE 08 Apr 2011: GenBroker.exe 9.22.202.11 #######################################################################