####################################################################### Luigi Auriemma Application: Iconics GENESIS32 and GENESIS64 http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS32.aspx http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS64.aspx Versions: GENESIS32 <= 9.21 GENESIS64 <= 10.51 GenBroker.exe and GenBroker64.exe are the same version on both the softwares: 9.21.201.01 Platforms: Windows Bug: integer overflow Exploitation: remote, versus server Date: 21 Mar 2011 (found 08 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Iconics Genesis is a SCADA HMI solution used worldwide with customers that go from Beijing Traffic Control Center to the Pentagon and even Poste Italiane ("Case Studies" source). Informations from the vendor's website: "GENESIS32™ is the industry’s first and only fully scalable suite of OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications." ####################################################################### ====== 2) Bug ====== GenBroker is a Windows service running on port 38080. The addresses and code snippets reported here are referred to GENESIS32 9.2. The service is affected by an integer overflow vulnerability during the handling of the opcode 0x4b2 caused by the allocation of the memory needed for the creation of some arrays trusting the number of elements passed by the client. The resulting memory corruptions (like direct registry calls, memory locations calls, writing of data in arbitrary locations and so on) allow code execution. Fields in the packet: 32 malloc(x * 4) Vulnerable code: 0044B2E9 |. 8B17 MOV EDX,DWORD PTR DS:[EDI] ; get 32bit 0044B2EB |. C1E2 02 SHL EDX,2 ; * 4 0044B2EE |. 52 PUSH EDX 0044B2EF |. 8947 08 MOV DWORD PTR DS:[EDI+8],EAX 0044B2F2 |. E8 C1BE0500 CALL ; malloc 0044B2F7 |. 8947 0C MOV DWORD PTR DS:[EDI+C],EAX 0044B2FA |. 8B07 MOV EAX,DWORD PTR DS:[EDI] 0044B2FC |. C1E0 02 SHL EAX,2 ; * 4 0044B2FF |. 50 PUSH EAX 0044B300 |. E8 B3BE0500 CALL ; malloc 0044B305 |. 8B0F MOV ECX,DWORD PTR DS:[EDI] 0044B307 |. C1E1 03 SHL ECX,3 ; * 8 0044B30A |. 51 PUSH ECX 0044B30B |. 8947 10 MOV DWORD PTR DS:[EDI+10],EAX 0044B30E |. E8 A5BE0500 CALL ; malloc 0044B313 |. 8B17 MOV EDX,DWORD PTR DS:[EDI] 0044B315 |. C1E2 02 SHL EDX,2 ; * 4 0044B318 |. 52 PUSH EDX 0044B319 |. 8947 14 MOV DWORD PTR DS:[EDI+14],EAX 0044B31C |. E8 97BE0500 CALL ; malloc ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/genesis_iof.zip genesis_iof 4 SERVER ####################################################################### ====== 4) Fix ====== No fix. UPDATE 08 Apr 2011: GenBroker.exe 9.22.202.11 #######################################################################