####################################################################### Luigi Auriemma Application: DATAC RealWin http://www.dataconline.com/software/realwin.php http://www.realflex.com Versions: <= 2.1 (Build 6.1.10.10) Platforms: Windows Bug: stack overflow Exploitation: remote, versus server Date: 21 Mar 2011 (found 25 Nov 2010) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "RealWin is a SCADA server package for medium / small applications." ####################################################################### ====== 2) Bug ====== The part of the server listening on port 910 is vulnerable to some buffer overflows happening during the handling of various On_FC_BINFILE_FCS_*FILE packets in which is available a string containing a filename used for performing some operations. This filename is appended in a stack buffer of 256 bytes for building the full path of a file through function 004275b0 causing the overflow. The bugs are located in different functions but I have grouped them in this same advisory because the format and the performed operations are similar. List of the vulnerable functions: - realwin_5a: 0042f770 - realwin_5b: 0042f670 - realwin_5c: 0042f9c0 -> 0042f770 - realwin_5d: 00427790 - realwin_5e: 004280b0 - realwin_5f: 00427880 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/realwin_5.zip nc SERVER 910 < realwin_5?.dat ####################################################################### ====== 4) Fix ====== No fix. #######################################################################