lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 26 Sep 2008 13:21:28 +0200
From: Reversemode <advisories@...ersemode.com>
To: bugtraq@...urityfocus.com
Subject: DATAC RealWin 2.0 SCADA Software - Remote PreaAuth Exploit

Hi

---------------------------------

http://www.dataconline.com/software/realwin.php

"RealWin is a SCADA server product which includes a FlexView HMI and
runs on current Microsoft Windows platforms (2000 and XP). It can
operate on a single PC or multiple PCs connected through a TCP/IP
network. It reads and maintains data returned from field devices using
drivers, stores data for historical access, runs Command Sequence
Language (CSL) scripts and generates alarms as defined in the system."

---------------------------------

The version available for download
(http://www.realflex.com/download/form.php) is likely an old one so
newer versions may, or may not, be vulnerable. Note that the server is
affected by other flaws, but this one is pretty clear and 100% reliable.

The bug is a classic stack overflow while processing a specially crafted
FC_INFOTAG/SET_CONTROL packet. RealWin server accepts connections from
FlewWin clients which use a propietary protocol. We can exploit this
flaw from remote without having valid credentials .
-----------
.text:0042BFFE                 call    sub_419690 ; Get Packet.PayloadLen

.text:0042C003                 movzx   ecx, ax
.text:0042C006                 mov     edx, ecx
.text:0042C008                 shr     ecx, 2
.text:0042C00B                 mov     esi, ebx

.text:0042C00D                 lea     edi, [esp+638h+var_2E0]
.text:0042C014                 rep movsd
.text:0042C016                 mov     ecx, edx
.text:0042C018                 and     ecx, 3

.text:0042C01B                 rep movsb
-----------

That's all, just for fun.

Regards,
Rubén.

View attachment "exploit_realwin.c" of type "text/plain" (6312 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ