####################################################################### Luigi Auriemma Application: DATAC RealWin http://www.dataconline.com/software/realwin.php http://www.realflex.com Versions: <= 2.1 (Build 6.1.10.10) Platforms: Windows Bug: stack overflow Exploitation: remote, versus server Date: 21 Mar 2011 (found 25 Nov 2010) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "RealWin is a SCADA server package for medium / small applications." ####################################################################### ====== 2) Bug ====== The part of the server listening on port 910 is vulnerable to a buffer overflow happening during the handling of the On_FC_CGETTAG_FCS_GETTELEMETRY, On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY, On_FC_CGETTAG_FCS_SETTELEMETRY and On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY packets where the input string is used for building a file path on a stack buffer of about 200 bytes: sprintf( stack_buffer, "C:\\Program Files\\DATAC\\Real.Win\\DemoRW-1.06\\\\realflex\\data\\crt\\fwd\\tel\\%s.tel", input_string); Note that the bugs are located in different functions but I have grouped them here because the format and the performed operations are similar. List of the vulnerable functions: - realwin_7a: 00467050 - realwin_7b: 00467520 - realwin_7c: 00467860 - realwin_7d: 00467ce0 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/realwin_7.zip nc SERVER 910 < realwin_7?.dat ####################################################################### ====== 4) Fix ====== No fix. #######################################################################