####################################################################### Luigi Auriemma Application: Siemens Tecnomatix FactoryLink http://www.usdata.com/sea/FactoryLink/en/p_nav1.html http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml Versions: <= 8.0.1.1473 Platforms: Windows Bugs: Denial of Service vulnerabilities Exploitation: remote, versus server Date: 21 Mar 2011 (found 02 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Siemens FactoryLink monitors, supervises, and controls industrial processes by enabling customers to perfect their processes and products. Built on an advanced open architecture, FactoryLink delivers the highest performance and flexibility to customers building vertical applications in a wide range of industries. Highly scaleable, FactoryLink can be used to build virtually any size application, from the simplest Human-Machine Interface (HMI) systems to the most complex and demanding Supervisory Control and Data Acquisition (SCADA) systems." ####################################################################### ======= 2) Bugs ======= CSService, connsrv and datasrv are various Windows services. All these services are vulneable to some Denial of Service vulnerabilities that allow to crash them due to NULL pointer dereferences, stack exaustions and raised exceptions. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/factorylink_x.zip factorylink_x 1 SERVER factorylink_x 2 SERVER factorylink_x 6 SERVER factorylink_x 7 SERVER ####################################################################### ====== 4) Fix ====== No fix. UPDATE 25 Mar 2011: version 802.82 #######################################################################