siemens tecnomatix factorylink 8.0.1.1473 – Multiple Vulnerabilities

• Exploit Database
• 160 阅读

• 作者： Luigi Auriemma
  日期： 2011-03-22
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17022/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210

  Sources: http://aluigi.org/adv/factorylink_1-adv.txt http://aluigi.org/adv/factorylink_2-adv.txt http://aluigi.org/adv/factorylink_3-adv.txt http://aluigi.org/adv/factorylink_4-adv.txt http://aluigi.org/adv/factorylink_5-adv.txt http://aluigi.org/adv/factorylink_6-adv.txt   Advisory Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-1.tar.gz (siemens_factory_link_adv.tar.gz) PoC Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-2.tar.gz (siemens_factory_link_poc.tar.gz)   #######################################################################   Luigi Auriemma   Application:Siemens Tecnomatix FactoryLink http://www.usdata.com/sea/FactoryLink/en/p_nav1.html http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml Versions: <= 8.0.1.1473 Date: 21 Mar 2011 (found 02 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org #######################################################################   =============== Introduction ===============   From vendor&apos;s website: "Siemens FactoryLink monitors, supervises, and controls industrial processes by enabling customers to perfect their processes and products. Built on an advanced open architecture, FactoryLink delivers the highest performance and flexibility to customers building vertical applications in a wide range of industries. Highly scaleable, FactoryLink can be used to build virtually any size application, from the simplest Human-Machine Interface (HMI) systems to the most complex and demanding Supervisory Control and Data Acquisition (SCADA) systems."   Remote Stack Overflow:   ====== Bug ====== CSService is a Windows service listening on port 7580.   The logging function is vulnerable to a buffer-overflow caused by the usage of vsprintf with a stack buffer of 1024 bytes. The vulnerability can be exploited from remote in various ways like the passing of a big path or filter string in the file related operations (opcodes 6, 8 and 10).   =========== The Code ===========     http://aluigi.org/poc/factorylink_x.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-x.zip (factorylink_x.zip)   factorylink_x 3 SERVER   #######################################################################   Arbitrary Files Reading and Listing:   ====== Bug ======   CSService is a Windows service listening on port 7580.   All the file operations used by the service (opcodes 6, 8 and 10) allow to specify arbitrary files and directories (absolute paths) and it&apos;s possible for an attacker to download any remote file on the server. Obviously it&apos;s possible also to specify directory traversal paths.   #######################################################################   =========== The Code ===========     http://aluigi.org/poc/factorylink_x.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-x.zip (factorylink_x.zip)   for downloading c:\boot.ini factorylink_x 4 SERVER   for viewing the list of files in c:\ factorylink_x 5 SERVER   #######################################################################   Remote Memory Corruption:   ====== Bug ======   vrn.exe is a server listening on port 7579 when a project is started.   There is a particular function used to parse the text fields located in the strings of the opcode 10. It copies the string delimited by a &apos;;&apos; or a space in the stack buffer provided by the callee function causing a stack overflow that allows a certain control on the code flow (for example the changing of the lower 8bit of the return address or another exception).   #######################################################################   =========== The Code ===========   http://aluigi.org/poc/factorylink_3.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-3.zip (factorylink_3.zip)   nc SERVER 7579 < factorylink_3.dat   #######################################################################   Remote Stack Overflow:   ====== Bug ======     vrn.exe is a server listening on port 7579 when a project is started.   There is a particular function used to parse the text fields located in the strings of the opcode 9. It copies the string delimited by a &apos;;&apos; or a space in the stack buffer provided by the callee function causing a classical stack overflow.   #######################################################################   =========== The Code ===========   http://aluigi.org/poc/factorylink_4.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-4.zip (factorylink_4.zip)   nc SERVER 7579 < factorylink_4.dat   #######################################################################   Arbitrary File Download:   ====== Bug ======   vrn.exe is a server listening on port 7579 when a project is started.   The opcode 8 can be used to download any arbitrary file on the system by specifiying the full path (UNC too) or directory traversal.   #######################################################################   =========== The Code ===========   http://aluigi.org/poc/factorylink_5.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-5.zip (factorylink_5.zip)   download c:\boot.ini nc SERVER 7579 < factorylink_5.dat   #######################################################################   ====== Bug ======   CSService, connsrv and datasrv are various Windows services.   All these services are vulneable to some Denial of Service vulnerabilities that allow to crash them due to NULL pointer dereferences, stack exaustions and raised exceptions.   #######################################################################   =========== The Code ===========   http://aluigi.org/poc/factorylink_x.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-x.zip (factorylink_x.zip)   factorylink_x 1 SERVER factorylink_x 2 SERVER factorylink_x 6 SERVER factorylink_x 7 SERVER   #######################################################################   ====== Fix ======   No fix.   #######################################################################