####################################################################### Luigi Auriemma Application: Wonderware Archestra SuiteLink http://www.wonderware.com Versions: current (it should be 59.x) the _Grow crash has been confirmed on versions 51.5 and older while the resource consumption is valid for all the versions Platforms: Windows Bug: Resources consumption (Denial of Service in older versions) Exploitation: remote Date: 11 May 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Suitelink is a protocol used to allow various components of different vendors (GE, Siemens, the same Wonderware and so on) to communicate and exchange data through a central server running the slssvc service. Additional info by other vendors: "SuiteLink supports data properties (VTQ) for Value, Time Stamp and Quality which are especially important for alarming, historical archiving and SCADA applications." ####################################################################### ====== 2) Bug ====== UPDATE 13 May 2012: Added additional information about the effects on different versions, indeed the _Grow crash was tested on a previous version released in 2010 (version 51) and I have been able to test a more recent version only today. Note that version 51.5.0.0 is still distribuited in the current Historian and FsGateway products available on Intouch 10.5. The slssvc service can receive packets of any size containing very long unicode strings. These strings are duplicated various time consuming lot of resources (like memory) and CPU for some time making the whole system slow and almost impossible to use. Instead in versions released before 2011 like 51.5.0.0 (if there is the "_Grow" string inside the executable, it's vulnerable) the slssvc service can be crashed remotely due to a long and unallocable unicode string when calling _Grow(). The following code comes from the function that handles "guid + number + unicode string" but it's possible that this bug can be exploited in other places where it's necessary to allocate space for duplicating other strings: 00404BE2 |. 57 PUSH EDI ; /s 00404BE3 |. 8816 MOV BYTE PTR DS:[ESI],DL ; | 00404BE5 |. 895E 04 MOV DWORD PTR DS:[ESI+4],EBX ; | 00404BE8 |. 895E 08 MOV DWORD PTR DS:[ESI+8],EBX ; | 00404BEB |. 895E 0C MOV DWORD PTR DS:[ESI+C],EBX ; | 00404BEE |. FF15 30714000 CALL DWORD PTR DS:[<&MSVCRT.wcslen>] ; \wcslen 00404BF4 |. 83C4 04 ADD ESP,4 00404BF7 |. 8BF8 MOV EDI,EAX 00404BF9 |. 8BCE MOV ECX,ESI 00404BFB |. 6A 01 PUSH 1 00404BFD |. 57 PUSH EDI 00404BFE |. FF15 E4704000 CALL DWORD PTR DS:[<&MSVCP60.?_Grow@>; MSVCP60.?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z ... 0034F761 C640 FF 00 MOV BYTE PTR DS:[EAX-1],0 ; EAX is 2 In the most recent versions like 56.x the crash isn't reached because that part of code has been modified and _Grow is no longer used in the software, the vendor opted for a classical "basic_string" allocator. Obviously the resources consumption problem affects all the versions. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/suitelink_1.zip PoC updated to test the vulnerability infinitely. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################