lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1HURDW-00068w-RJ@gk.1.vg>
Date: Thu, 22 Mar 2007 18:33:08 +0100
From: "Lluis Mora" <llmora@...tralbit.com>
To: <bugtraq@...urityfocus.com>
Subject: [NB07-08] Multiple vulnerabilities in Takebishi Electric DeviceXplorer MELSEC OPC server


Multiple vulnerabilities in Takebishi Electric DeviceXplorer MELSEC OPC
server
============================================================================
==

OPC servers provide a standard way to interoperate automation and control
systems, bridging data from several industrial protocols such as DNP3,
MODBUS, etc. to a more standard data access interface. They are often used
in SCADA systems to consolidate network device information in a single
point; as such OPC servers are usually considered critical applications.

Takebishi Electric commercialises an OPC Server ("Takebishi.Melsec.1"), more
information is available at http://www.takebishi.co.jp/.

ANALYSIS
--------

The product presents various security vulnerabilities, allowing an attacker
with access to the OPC interface to arbitrarily read and write the process
memory, leading to the execution of attacker-provided code.

The vulnerabilities reside in the server implementation of the following OPC
Data Access interface methods:

 * IOPCServer::RemoveGroup

By providing specially crafted OPC handles the attacker can force the server
to access arbitrary memory in read/write operations which can be leveraged
to execute arbitrary code in the OPC server.

VULNERABLE VERSIONS
-------------------

The vulnerability has been verified to be present in the following version
of the server:

  Server name: DeviceXPlorer MELSEC OPC Server
  OPC Server CLSID: {582516F0-849F-11D0-B627-0000F8211D82}
  ProgID: Takebishi.Melsec.1
  Version: 3.11.6
  OS: Windows XP

The vulnerability was discovered during an OPC server group assessment for a
customer and is not known to be publicly exploited.

WORKAROUND
----------

The vendor has fixed the vulnerability and published an updated version.

ADDITIONAL INFORMATION
----------------------

This vulnerability was found and researched by:

  Lluis Mora        <llmora@...tralbit.com>
  Xavier Panadero   <xpanadero@...tralbit.com>

You can find the latest version of this advisory at:

http://www.neutralbit.com/

Disclosure timeline:

  12/Jan/2006: Vendor notified
  12/Jan/2006: US-CERT notified
  16/Mar/2006: Vendor published public advisory
  21/Mar/2006: Neutralbit advisory published

References:

  CERT: US-CERT Vulnerability Note VU#926551
  CVE:  CVE-2007-1319

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ