DATAC RealWin – Multiple Vulnerabilities

Exploit Database
110 阅读

作者： Luigi Auriemma

日期： 2011-03-22
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/17025/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

Sources:

http://aluigi.org/adv/realwin_2-adv.txt

http://aluigi.org/adv/realwin_3-adv.txt

http://aluigi.org/adv/realwin_4-adv.txt

http://aluigi.org/adv/realwin_5-adv.txt

http://aluigi.org/adv/realwin_6-adv.txt

http://aluigi.org/adv/realwin_7-adv.txt

http://aluigi.org/adv/realwin_8-adv.txt

Advisory Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-adv.tar.gz (datac_realwin_adv.tar.gz)

PoC Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-poc.tar.tz (datac_realwin_poc.tar.gz)

#######################################################################

Luigi Auriemma

Application:DATAC RealWin

http://www.dataconline.com/software/realwin.php

http://www.realflex.com

Versions: <= 2.1 (Build 6.1.10.10)

Platforms:Windows

Date: 21 Mar 2011 (found 25 Nov 2010)

Author: Luigi Auriemma

e-mail: aluigi@autistici.org

web:aluigi.org

===============

Introduction

===============

"RealWin is a SCADA server package for medium / small applications."

#######################################################################

Remote Stack Overflow:

======

Bug

======

The part of the server listening on port 910 is vulnerable to a buffer

overflow happening in the function 004be510 that splits the input

strings using some delimiters passed by the callee functions and copies

them in a stack buffer of 1024 bytes.

One of the ways to exploit the vulnerability in that function is

through an On_FC_CONNECT_FCS_LOGIN packet containing a long username.

#######################################################################

===========

The Code

===========

http://aluigi.org/poc/realwin_2.zip

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-2.zip (realwin_2.zip)

nc SERVER 910 < realwin_2.dat

#######################################################################

Remote Stack Overflow:

======

Bug

======

The part of the server listening on port 910 is vulnerable to some

buffer overflows happening during the handling of the

On_FC_CTAGLIST_FCS_CADDTAG, On_FC_CTAGLIST_FCS_CDELTAG and

On_FC_CTAGLIST_FCS_ADDTAGMS packets where the input strings are copied

in a stack buffer of 1024 bytes.

The bugs are located in different functions but I have grouped them in

this same advisory because the format and the performed operations are

similar.

List of the vulnerable functions:

- realwin_3a: 0042f770

- realwin_3b: 0042f670

- realwin_3c: 0042f9c0

#######################################################################

===========

The Code

===========

http://aluigi.org/poc/realwin_3.zip

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-3.zip (realwin_3.zip)

nc SERVER 910 < realwin_3?.dat

#######################################################################

Remote Stack Overflow:

======

Bug

======

The part of the server listening on port 910 is vulnerable to a buffer

overflow happening during the handling of the

On_FC_RFUSER_FCS_LOGIN packet by the function 00437500 where the input

username is copied in a stack buffer of 44 bytes.

#######################################################################

===========

The Code

===========

http://aluigi.org/poc/realwin_4.zip

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-4.zip (realwin_4.zip)

nc SERVER 910 < realwin_4.dat

#######################################################################

Remote Stack Overflow:

======

Bug

======

The part of the server listening on port 910 is vulnerable to some

buffer overflows happening during the handling of various

On_FC_BINFILE_FCS_*FILE packets in which is available a string

containing a filename used for performing some operations.

This filename is appended in a stack buffer of 256 bytes for building

the full path of a file through function 004275b0 causing the overflow.

The bugs are located in different functions but I have grouped them in

this same advisory because the format and the performed operations are

similar.

List of the vulnerable functions:

- realwin_5a: 0042f770

- realwin_5b: 0042f670

- realwin_5c: 0042f9c0 -> 0042f770

- realwin_5d: 00427790

- realwin_5e: 004280b0

- realwin_5f: 00427880

#######################################################################

===========

The Code

===========

http://aluigi.org/poc/realwin_5.zip

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-5.zip (realwin_5.zip)

nc SERVER 910 < realwin_5?.dat

#######################################################################

Remote Integer Overflow:

======

Bug

======

The part of the server listening on port 910 is vulnerable to some

buffer overflows happening during the handling of the

On_FC_MISC_FCS_MSGBROADCAST and On_FC_MISC_FCS_MSGSEND packets where is

allocated an amount of memory equal to the 32bit size value provided by

the client plus 0x16 resulting in a heap overflow during the subsequent

copy of the input data.

The bugs are located in different functions but I have grouped them in

this same advisory because the format and the performed operations are

enough similar (the main difference is the presence of the 16bit value

at offset 0x12 of On_FC_MISC_FCS_MSGSEND).

List of the vulnerable functions:

- realwin_6a: 004326f0

- realwin_6b: 00432ae0

#######################################################################

===========

The Code

===========

http://aluigi.org/poc/realwin_6.zip

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-6.zip (realwin_6.zip)

nc SERVER 910 < realwin_6?.dat

#######################################################################

Remote Stack Overflow:

======

Bug

======

The part of the server listening on port 910 is vulnerable to a buffer

overflow happening during the handling of the

On_FC_CGETTAG_FCS_GETTELEMETRY, On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY,

On_FC_CGETTAG_FCS_SETTELEMETRY and

On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY packets where the input string is

used for building a file path on a stack buffer of about 200 bytes:

sprintf(

stack_buffer,

"C:\\Program Files\\DATAC\\Real.Win\\DemoRW-1.06\\\\realflex\\data\\crt\\fwd\\tel\\%s.tel",

input_string);

Note that the bugs are located in different functions but I have

grouped them here because the format and the performed operations are

similar.

List of the vulnerable functions:

- realwin_7a: 00467050

- realwin_7b: 00467520

- realwin_7c: 00467860

- realwin_7d: 00467ce0

#######################################################################

===========

The Code

===========

http://aluigi.org/poc/realwin_7.zip

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-7.zip (realwin_7.zip)

nc SERVER 910 < realwin_7?.dat

#######################################################################

Remote Stack Overflow:

======

Bug

======

The part of the server listening on port 910 is vulnerable to a buffer

overflow happening during the handling of the

On_FC_SCRIPT_FCS_STARTPROG packets by the function 00439620 where the

input string is copied in a stack buffer of about 4 kilobytes.

#######################################################################

===========

The Code

===========

http://aluigi.org/poc/realwin_8.zip

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-8.zip (realwin_8.zip)

nc SERVER 910 < realwin_8.dat

#######################################################################

======

Fix

======

No fix.

#######################################################################