####################################################################### Luigi Auriemma Application: IGSS (Interactive Graphical SCADA System) http://www.igss.com http://www.7t.dk Versions: IGSSdataServer.exe <= 9.00.00.11063 Platforms: Windows Bug: format string Exploitation: remote, versus server Date: 21 Mar 2011 (found 10 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== IGSS (Interactive Graphical SCADA system) is a SCADA solution developed by the 7-Technologies and used mainly in Denmark and US. Informations from the vendor's website: "IGSS is the complete automation software – a SCADA system for process control and supervision - with a long row of releases since the start of 7T 25 years ago. At that time, 7T was the first company in the world to develop an object oriented and mouse operated SCADA system under the name of IGSS." ####################################################################### ====== 2) Bug ====== IGSSdataServer.exe is a server running on port 12401 active when the project is started. The logging function Shmemmgr.logText that places messages in GSST.LOG has a printf-like prototype but the function 0040cec0 that handles all the internal logs doesn't provide the necessary format argument when calls it: 0040CF5B |> 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] 0040CF5F |. 50 PUSH EAX 0040CF60 |. 57 PUSH EDI 0040CF61 |. 6A 0D PUSH 0D 0040CF63 |. 6A 01 PUSH 1 0040CF65 |. FF15 6C834300 CALL DWORD PTR DS:[<&Shmemmgr9.logText>] ; Shmemmgr.logText ... 005A55E6 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14] 005A55E9 . 51 PUSH ECX 005A55EA . 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14] 005A55ED . 52 PUSH EDX 005A55EE . 68 00280000 PUSH 2800 005A55F3 . 8D85 E8D7FFFF LEA EAX,DWORD PTR SS:[EBP-2818] 005A55F9 . 50 PUSH EAX 005A55FA . FF15 20026200 CALL DWORD PTR DS:[<&MSVCR90.vsprintf_s>] ; MSVCR90.vsprintf_s Note that is not clear if this vulnerability is exploitable for code execution. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/igss_6.zip nc SERVER 12401 < igss_6.dat ####################################################################### ====== 4) Fix ====== No fix. UPDATE 24 Mar 2011: version 11083 #######################################################################