Pro-face Pro-Server EX WinGP PC Runtime – Multiple Vulnerabilities

• Exploit Database
• 114 阅读

• 作者： Luigi Auriemma
  日期： 2012-05-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18878/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195

  #######################################################################   Luigi Auriemma   Application:Pro-face Pro-Server EX WinGP PC Runtime http://www.profaceamerica.com/cms/resource_library/products/9e3c2a7965a27592/index.html Versions: ProServr<= 1.30.000 PCRuntime <= 3.1.00 Platforms:Windows Bug:A] "Find Node" invalid memory access B] memset integer overflow C] Unhandled exception D] Invalid memory read access and disclosure E] Possible limited memory corruptions Exploitation: remote Date: 13 May 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bug 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     From vendor&apos;s homepage: "Pro-Server EX is a powerful, yet cost effective data management server that provides real-time reporting of automated manufacturing and production environments at a fraction of the price of a full SCADA system."     #######################################################################   ======= 2) Bugs =======     By default Pro-Server EX (ProServr.exe) runs as a stand-alone server but it can be set as a Windows service during the installation, this second mode is suggested by the vendor.     ------------------------------------ A] "Find Node" invalid memory access ------------------------------------   The server trusts a 32bit "number of elements" value used locate the subsequent string in the received packet. If the packet contains a particular flag then the following function will try to check the presence of the string "\x1c" "Find Node\0" "ASP" at that arbitrary location:   0033650C|. 8D4486 04LEA EAX,DWORD PTR DS:[ESI+EAX*4+4]; seek ... 00336400/$ A1 9C7A3A00MOV EAX,DWORD PTR DS:[3A7A9C] ; the function 00336405|. 8038 1CCMP BYTE PTR DS:[EAX],1C 00336408|. 74 03JE SHORT TDASforW.0033640D 0033640A|> 32C0 XOR AL,AL 0033640C|. C3 RETN   This bug works also if the server is protected by password (max 8 bytes xored with 0xff) and the attacker doesn&apos;t know it.     -------------------------- B] memset integer overflow --------------------------   Through the opcode 0x07 -> 0x5/0x6/0x7 it&apos;s possible to exploit an integer overflow for allocating a buffer of 0 bytes but a memset() after it allows only to exploit this bug for crashing the server due to a buffer-overflow of zeroes (unfortunately memcpy can&apos;t be reached):   0033660C|. 8B7D 18MOV EDI,DWORD PTR SS:[EBP+18] ; our 32bit value 0033660F|. 83C7 18ADD EDI,18; + 0x18 00336612|. B9 988C3A00MOV ECX,TDASforW.003A8C98 00336617|. 8D1C07 LEA EBX,DWORD PTR DS:[EDI+EAX] 0033661A|. E8 C14CFFFFCALL TDASforW.?Lock@GaMutex@@QAEXXZ 0033661F|. 8B35 3C8C3A00MOV ESI,DWORD PTR DS:[3A8C3C] 00336625|. 03F3 ADD ESI,EBX 00336627|. B9 988C3A00MOV ECX,TDASforW.003A8C98 0033662C|. 8935 3C8C3A00MOV DWORD PTR DS:[3A8C3C],ESI 00336632|. E8 A921FFFFCALL TDASforW.?Unlock@GaMutex@@QAEXXZ 00336637|. 8D4B 04LEA ECX,DWORD PTR DS:[EBX+4] 0033663A|. 51 PUSH ECX 0033663B|. E8 045F0300CALL <JMP.&MFC71.#265>; malloc + 4 00336640|. 53 PUSH EBX 00336641|. 8D70 04LEA ESI,DWORD PTR DS:[EAX+4] 00336644|. 6A 00PUSH 0 00336646|. 56 PUSH ESI 00336647|. 8918 MOV DWORD PTR DS:[EAX],EBX; memset crash 00336649|. FF15 28803800CALL DWORD PTR DS:[<&GAOS.?osUTmemset@> 0033664F|. 57 PUSH EDI 00336650|. 55 PUSH EBP 00336651|. 56 PUSH ESI 00336652|. FF15 24803800CALL DWORD PTR DS:[<&GAOS.?osUTmemcpy@>     ---------------------- C] Unhandled exception ----------------------   Through the opcode 0x07 -> 0x5/0x6/0x7 it&apos;s possible to terminate the server due to an unhandled exception ("Runtime Error") caused by a too big amount of data to allocate.     -------------------------------------------- D] Invalid memory read access and disclosure --------------------------------------------   Through the opcode 0x07 -> 0x5/0x6/0x7/0x14 it&apos;s possible to crash the server specifying a big size value so that it&apos;s impossible to copy the data from the source packet using the osUTmemcpy function. The opcode 0x7 -> 0x14 is a bit more interesting because it returns a desired amount of memory back to the client and so it&apos;s possible to see all the memory till the end of the buffer.     -------------------------------------- E] Possible limited memory corruptions --------------------------------------   Often the server reuses the same memory used for the input packet for modifying it and then sending it back to the client. The lack of checks on the size of the received packet allows an attacker to send a small packet and then forcing the server to write its fields at those positions higher than the allocated packet size corrupting the heap. An example of these memory corruptions happen with the opcode 0x7->0x14:   0033CE2F . 33C9XOR ECX,ECX 0033CE31 . 3BD1CMP EDX,ECX 0033CE33 . 66:8948 04MOV WORD PTR DS:[EAX+4],CX 0033CE37 . C740 1C 16260000MOV DWORD PTR DS:[EAX+1C],2616 0033CE3E . 8948 24 MOV DWORD PTR DS:[EAX+24],ECX 0033CE41 . 8948 28 MOV DWORD PTR DS:[EAX+28],ECX 0033CE44 . 8948 2C MOV DWORD PTR DS:[EAX+2C],ECX 0033CE47 . 8948 30 MOV DWORD PTR DS:[EAX+30],ECX 0033CE4A . 8948 34 MOV DWORD PTR DS:[EAX+34],ECX 0033CE4D . 8948 38 MOV DWORD PTR DS:[EAX+38],ECX 0033CE50 . 8948 3C MOV DWORD PTR DS:[EAX+3C],ECX 0033CE53 . 8948 40 MOV DWORD PTR DS:[EAX+40],ECX   Anyway in this example ECX is just zero so not much useful but it&apos;s only to demonstrate a big chunk of code since there are some other places where are performed no checks on the received packet size. Note that this attack is possible only if no bigger packets have been received previously because the memory buffer is one and fits the latest biggest packet.     PCRuntime.exe uses also the TCP port 8000 which is fully compatible with the protocol running on the UDP one (type, flags, size, data).     #######################################################################   =========== 3) The Code ===========     http://aluigi.org/poc/proservrex_1.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18878.zip     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################