####################################################################### Luigi Auriemma Application: Iconics GENESIS32 and GENESIS64 http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS32.aspx http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS64.aspx Versions: GENESIS32 <= 9.21 GENESIS64 <= 10.51 GenBroker.exe and GenBroker64.exe are the same version on both the softwares: 9.21.201.01 Platforms: Windows Bug: integer overflow Exploitation: remote, versus server Date: 21 Mar 2011 (found 08 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Iconics Genesis is a SCADA HMI solution used worldwide with customers that go from Beijing Traffic Control Center to the Pentagon and even Poste Italiane ("Case Studies" source). Informations from the vendor's website: "GENESIS32™ is the industry’s first and only fully scalable suite of OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications." ####################################################################### ====== 2) Bug ====== GenBroker is a Windows service running on port 38080. The addresses and code snippets reported here are referred to GENESIS32 9.2. The service is affected by an integer overflow vulnerability during the handling of the opcodes 3f0, 138F,1390,1391,1392,1393, 1394, 1C86, 89a,89b, 450,451,454,455, 1C20,1C24 that make use of the function 0044d1c0. The problem is caused by the allocation of the memory needed for the creation of an array trusting the number of elements passed by the client. The resulting memory corruptions (like direct registry calls, memory locations calls, writing of data in arbitrary locations and so on) allow code execution. Fields in the packet: the format of the packets depend by the relative opcodes, the function 0044d1c0 reads a 32bit before the one used for the allocation. Vulnerable code: 0044D2A2 |. E8 C99EFCFF CALL 00417170 ; get 32bit 0044D2A7 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C] 0044D2AB |. 50 PUSH EAX 0044D2AC |. 8BCE MOV ECX,ESI 0044D2AE |. E8 BD9EFCFF CALL 00417170 0044D2B3 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10] 0044D2B7 |. 8D14CD 000000>LEA EDX,DWORD PTR DS:[ECX*8] ; * 8 0044D2BE |. 52 PUSH EDX 0044D2BF |. E8 F49E0500 CALL ; malloc ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/genesis_iof.zip genesis_iof 1 SERVER ####################################################################### ====== 4) Fix ====== No fix. UPDATE 08 Apr 2011: GenBroker.exe 9.22.202.11 #######################################################################