lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20110321161626.dd35cdc3.aluigi@autistici.org>
Date: Mon, 21 Mar 2011 16:16:26 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: Vulnerabilities in some SCADA server softwares

The following are almost all the vulnerabilities I found for a quick
experiment some months ago in certain well known server-side SCADA
softwares still vulnerable in this moment.

In case someone doesn't know SCADA (like me before the tests): it's
just one or more softwares (usually a core, a graphical part and a
database) that allow people to monitor and control the various hardware
sensors and mechanisms located in industrial environments like nuclear
plants, refineries, gas pipelines, airports and other less and more
critical fields that go from the energy to the public infrastructures
and obviously also the small "normal" industries.

In technical terms the SCADA software is just the same as any other
software used everyday, so with inputs (in this case they are servers
so the input is the TCP/IP network) and vulnerabilities: stack and heap
overflows, integer overflows, arbitrary commands execution, format
strings, double and arbitrary memory frees, memory corruptions, directory
traversals, design problems and various other bugs.

Full-disclosure advisories and proof-of-concepts:

  Siemens Tecnomatix FactoryLink:
    http://aluigi.org/adv/factorylink_1-adv.txt
    http://aluigi.org/adv/factorylink_2-adv.txt
    http://aluigi.org/adv/factorylink_3-adv.txt
    http://aluigi.org/adv/factorylink_4-adv.txt
    http://aluigi.org/adv/factorylink_5-adv.txt
    http://aluigi.org/adv/factorylink_6-adv.txt (DoS only)

  Iconics GENESIS32 and GENESIS64:
    http://aluigi.org/adv/genesis_1-adv.txt
    http://aluigi.org/adv/genesis_2-adv.txt
    http://aluigi.org/adv/genesis_3-adv.txt
    http://aluigi.org/adv/genesis_4-adv.txt
    http://aluigi.org/adv/genesis_5-adv.txt
    http://aluigi.org/adv/genesis_6-adv.txt
    http://aluigi.org/adv/genesis_7-adv.txt
    http://aluigi.org/adv/genesis_8-adv.txt
    http://aluigi.org/adv/genesis_9-adv.txt
    http://aluigi.org/adv/genesis_10-adv.txt
    http://aluigi.org/adv/genesis_11-adv.txt
    http://aluigi.org/adv/genesis_12-adv.txt
    http://aluigi.org/adv/genesis_13-adv.txt

  7-Technologies IGSS (Interactive Graphical SCADA System):
    http://aluigi.org/adv/igss_1-adv.txt
    http://aluigi.org/adv/igss_2-adv.txt
    http://aluigi.org/adv/igss_3-adv.txt
    http://aluigi.org/adv/igss_4-adv.txt
    http://aluigi.org/adv/igss_5-adv.txt
    http://aluigi.org/adv/igss_6-adv.txt
    http://aluigi.org/adv/igss_7-adv.txt
    http://aluigi.org/adv/igss_8-adv.txt

  DATAC RealWin:
    http://aluigi.org/adv/realwin_2-adv.txt
    http://aluigi.org/adv/realwin_3-adv.txt
    http://aluigi.org/adv/realwin_4-adv.txt
    http://aluigi.org/adv/realwin_5-adv.txt
    http://aluigi.org/adv/realwin_6-adv.txt
    http://aluigi.org/adv/realwin_7-adv.txt
    http://aluigi.org/adv/realwin_8-adv.txt


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ