####################################################################### Luigi Auriemma Application: Proficy HMI/SCADA - iFIX http://www.ge-ip.com/products/family/proficy_hmiscada_ifix Versions: Historian Data Archiver <= 4.0 SIM7 and 3.5 SIM14 Platforms: Windows Bug: memory corruption Exploitation: remote, versus server Date: probably found 18 Jan 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ####################################################################### ====== 2) Bug ====== ihDataArchiver.exe is a service running on port 14000. The protocol is composed by: - 2 bytes: magic - 0x26 bytes: header - optional 4 bytes: a 32bit containing some options - data The "data" field is composed by an initial header of variable size (its length is specified at offset 0xc of this field) followed by a list of chunks. Each chunk is composed by a 0x14 bytes header where are specified the "property", the type of content, its size and the data. Exist various types of data but some of them can be forced on properties that use different types and with the effect of corrupting the memory for code execution. The types that can be forced and cause problems are: 6, 7, 8, 10 and 12 that cause different effects that go from the freeing of arbitrary memory to the writing of data in arbitrary addresses. The vulnerable function is visibile from address 004192b0 of Historian 3.5 SIM11. In my proof-of-concept I have opted for showing both type 7 and 8 at the same time since type 7 writes the size of the content and the pointer to the allocated buffer (0 if non allocable) in each prototype's structure overwriting adiacent prototypes if they are smaller than 8 bytes (look at the various free(0x61616161) encountered) and then the type 8 writes a custom byte in an arbitrary memory location (this effect is more visible with Historian 4.0). The following is the list of available properties and their type, I have cut the names for saving space: 0x00 7 0x01 12 0x02 3 0x03 12 0x04 3 0x05 3 0x06 3 0x07 7 0x08 1 0x09 1 0x0a 10 0x0b 3 0x0c 12 0x0d 7 0x0e 7 0x0f 3 0x10 3 0x11 3 0x12 12 0x13 3 0x14 7 0x15 7 0x16 7 0x17 9 0x18 7 0x19 9 0x1a 9 0x1b 3 0x1c 3 0x1d 3 0x1e 3 0x1f 12 0x20 3 0x21 3 0x22 1 0x23 3 0x24 3 0x25 3 0x26 7 0x27 1 0x28 3 0x29 7 0x2a 3 0x2b 3 0x2c 3 0x2d 12 0x2e 1 0x2f 7 0x30 3 0x31 3 0x32 12 0x33 12 0x34 12 0x35 9 0x36 9 0x37 7 0x38 12 0x39 3 0x3a 7 0x3b 3 0x3c 12 0x3d 7 0x3e 12 0x3f 7 0x40 12 0x41 12 0x42 7 0x43 3 0x44 3 0x45 12 0x46 12 0x47 7 0x48 9 0x49 7 0x4a 3 0x4b 3 0x4c 3 0x4d 3 0x4e 3 0x4f 3 0x50 7 0x51 7 0x52 7 0x53 7 0x54 7 0x55 3 0x56 7 0x57 3 0x58 3 0x59 12 0x5a 12 0x5b 1 0x5c 3 0x5d 3 0x5e 3 0x5f 7 0x60 7 0x61 1 0x62 1 0x63 7 0x64 3 0x65 3 0x66 12 0x67 3 0x68 3 0x69 7 0x6a 3 0x6b 10 0x6c 10 0x6d 10 0x6e 12 0x6f 12 0x70 3 0x71 9 0x72 9 0x73 1 0x74 1 0x75 7 0x76 1 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ifix_2.zip ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-12-133/ #######################################################################