####################################################################### Luigi Auriemma Application: Measuresoft ScadaPro http://www.measuresoft.com/products/scada-products.aspx Versions: <= 4.0.0 Platforms: Windows Bugs: arbitrary commands execution directory traversal in read, write and delete mode tons of stack overflow vulnerabilities various Denial of Service vulnerabilities Exploitation: remote Date: 13 Sep 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "ScadaPro is Real Time Data Acquisition software for Microsoft Windows. Optimised to use the powerful real time, multi-tasking features of Windows, ScadaPro provides integrated data acquisition, monitoring, data logging, mimic development and report generation." ####################################################################### ======= 2) Bugs ======= service.exe is a service listening on port 11234. Initially I started to test this software as usual by checking all the operations performed by the various opcodes which are divided in a group identified by the second byte of the packet while the first one is the opcode for the final operation. The function that handles the various groups and opcodes is available at offset 004061F0. The problem is that there are so much security vulnerabilities and design problems in this service that makes non convenient to continue the tests so after the checking of the opcodes of the 'F' group and a quick scan of the others I stopped any test to avoid to waste other time. It means that there are for sure other vulnerabilities but the most importants (stack overflows, code execution and files access) have been covered in the 'F' group and the main stack overflows of all the groups can be catched with the simple scanner I linked in the next section. In short there are stack overflow vulnerabilities in almost all the supported commands and they are divided in sscanf and in-line strcpy functions like the following taken from the "TF" command: 0040A0D9 . 8D5424 38 LEA EDX,DWORD PTR SS:[ESP+38] 0040A0DD . 52 PUSH EDX 0040A0DE . 68 84D46700 PUSH service.0067D484 ; "%s" 0040A0E3 . 57 PUSH EDI 0040A0E4 . E8 12F20000 CALL service.004192FB ; sscanf ... 0040A114 > 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20] 0040A118 . 8BC7 MOV EAX,EDI 0040A11A . 2BD7 SUB EDX,EDI 0040A11C . 8D6424 00 LEA ESP,DWORD PTR SS:[ESP] 0040A120 > 8A08 MOV CL,BYTE PTR DS:[EAX] 0040A122 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL 0040A125 . 83C0 01 ADD EAX,1 0040A128 . 84C9 TEST CL,CL 0040A12A .^75 F4 JNZ SHORT service.0040A120 Obviously there are many Denial of Service bugs too. Then there is full control over the files to read and write and the possibility to use directory traversal attacks like in the "RF" and "wF" (the first char is lower because there is a check for avoiding its usage), example of the tab-separeted arguments: RF% filename ReadFile.nNumberOfBytesToRead SetFilePointer.lDistanceToMove SetFilePointer.dwMoveMethod CreateFile.dwDesiredAccess CreateFile.dwShareMode ??? CreateFile.dwCreationDisposition CreateFile.dwFlagsAndAttributes content if in write mode It's also possible to delete files and whole folders (included their files) via the "UF" and "NF" commands. Then it's possible to pass custom arguments to the backup commands like what happens with "BF", "OF" and "EF" while executing mszip because the arguments are not sanitized versus the injection of the '"' char. The program supports also other backup programs like tar and compress. And finally, through the "XF" command it's possible to execute an arbitrary function of a dll, for example the "system" one of msvcrt.dll for executing any desired custom command. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip only a simple scanner: udpsz -d 2 -c "xx%" -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000 udpsz -d 2 -c "xx%test\t" -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000 udpsz -d 2 -c "xx%test," -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000 http://aluigi.org/poc/scadapro_1.zip nc SERVER 11234 < scadapro_1b.dat ; read c:\boot.ini nc SERVER 11234 < scadapro_1c.dat ; create c:\evil_file.txt nc SERVER 11234 < scadapro_1d.dat ; delete c:\valid_file.txt nc SERVER 11234 < scadapro_1e.dat ; execute notepad ####################################################################### ====== 4) Fix ====== No fix. UPDATE 15 Sep 2011: released version 4.0.1 that is no longer vulnerable. this service was a legacy IPC component not really necessary for the program so now it no longer accepts connections. #######################################################################