iconics genesis32 and genesis64 - Multiple Vulnerabilities

EDB-ID:

17023

CVE:

N/A




Platform:

Windows

Date:

2011-03-22


Sources:
http://aluigi.org/adv/genesis_1-adv.txt
http://aluigi.org/adv/genesis_2-adv.txt
http://aluigi.org/adv/genesis_3-adv.txt
http://aluigi.org/adv/genesis_4-adv.txt
http://aluigi.org/adv/genesis_5-adv.txt
http://aluigi.org/adv/genesis_6-adv.txt
http://aluigi.org/adv/genesis_7-adv.txt
http://aluigi.org/adv/genesis_8-adv.txt
http://aluigi.org/adv/genesis_9-adv.txt
http://aluigi.org/adv/genesis_10-adv.txt
http://aluigi.org/adv/genesis_11-adv.txt
http://aluigi.org/adv/genesis_12-adv.txt
http://aluigi.org/adv/genesis_13-adv.txt

Advisory Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-adv.tar.gz (iconics_genesis_adv.tar.gz)
PoC Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-poc.tar.gz (iconics_genesis_poc.tar.gz)

#######################################################################

                             Luigi Auriemma

Application:  Iconics GENESIS32 and GENESIS64
              http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS32.aspx
              http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS64.aspx
Versions:     GENESIS32 <= 9.21
              GENESIS64 <= 10.51
              GenBroker.exe and GenBroker64.exe are the same version on
              both the softwares: 9.21.201.01
Date:         21 Mar 2011 (found 08 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org

#######################################################################

===============
1) Introduction
===============

Iconics Genesis is a SCADA HMI solution used worldwide with customers
that go from Beijing Traffic Control Center to the Pentagon and even
Poste Italiane ("Case Studies" source).

Informations from the vendor's website:
"GENESIS32™ is the industry’s first and only fully scalable suite of
OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications."

#######################################################################

Freeing of Arbitrary Memory:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by multiple freeing of initialized memory
pointers and arbitrary locations because:
- the functions that store the strings pointers read from the client
  automatically break the reading loop when the end of the packet is
  reached
- these functions use malloc instead of calloc so the memory is not
  cleared
- the functions that free the arrays don't know if and when the reading
  process stopped and so they call free() over all the elements
  specified by the attacker in his packet

The exploitability of these vulnerabilities depends by how the attacker
has corrupted the memory for forcing the freeing of arbitrary locations
through the sending of valid packets before the malformed one.
The service is multi-thread so there are many chances of exploitation.

The following is the full list of vulnerable opcodes and the read/free
functions to monitor (referred to version 9.2):

1) opcode 0x4b0:
    read loop: 0044ACC0 and 0044AD04
    free loop: 004446B0

2) opcode 0x4b2:
    read loop: 0044B360
    free loop: 004428F0

3) opcode 0x4b5:
    read loop: 0044C560
    free loop: 00443090

4) function 0044C6B0 used by opcodes 0xDAE and 0xDB0.
    read loop: 0044c800
    free loop: 00443160

5) opcodes 0x1BBC and 0x1BBD:
    read loop: 0044ca90
    free loop: 004432a0

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-1.zip (genesis_1.zip)

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcodes 3f0, 138F,1390,1391,1392,1393,
1394, 1C86, 89a,89b, 450,451,454,455, 1C20,1C24 that make use of the
function 0044d1c0.

The problem is caused by the allocation of the memory needed for the
creation of an array trusting the number of elements passed by the
client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
  the format of the packets depend by the relative opcodes, the
  function 0044d1c0 reads a 32bit before the one used for the
  allocation.

Vulnerable code:
  0044D2A2  |.  E8 C99EFCFF   CALL 00417170                 ; get 32bit
  0044D2A7  |.  8D4424 1C     LEA EAX,DWORD PTR SS:[ESP+1C]
  0044D2AB  |.  50            PUSH EAX
  0044D2AC  |.  8BCE          MOV ECX,ESI
  0044D2AE  |.  E8 BD9EFCFF   CALL 00417170
  0044D2B3  |.  8B4C24 10     MOV ECX,DWORD PTR SS:[ESP+10]
  0044D2B7  |.  8D14CD 000000>LEA EDX,DWORD PTR DS:[ECX*8]  ; * 8
  0044D2BE  |.  52            PUSH EDX
  0044D2BF  |.  E8 F49E0500   CALL <JMP.&MFC71U.#265>       ; malloc


#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 1 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x453 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    string
    string
    string
    string
    32
    32
    32
    16
    32
    32
    32      malloc(x * 4)

Vulnerable code:
  0044BEB5  |.  E8 B6B2FCFF   CALL 00417170                         ; get 32bit
  0044BEBA  |.  8B03          MOV EAX,DWORD PTR DS:[EBX]
  0044BEBC  |.  3BC5          CMP EAX,EBP
  0044BEBE  |.  76 56         JBE SHORT 0044BF16
  0044BEC0  |.  C1E0 02       SHL EAX,2                             ; * 4
  0044BEC3  |.  50            PUSH EAX
  0044BEC4  |.  FF15 98FA8400 CALL DWORD PTR DS:[<&MSVCR71.malloc>] ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 2 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by three integer overflow vulnerabilities
during the handling of the opcode 0x4b0 caused by the allocation of the
memory needed for the creation of some arrays trusting the numbers of
elements passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    string
    string
    32
    32
    32
    32
    32
    32
    32
    32
    32      malloc(x * 4)
    ...
    32      malloc(x * 4)
    ...
    32      malloc(x * 4)

Vulnerable code:
  0044AC26  |.  E8 45C5FCFF   CALL 00417170             ; get 32bit
  0044AC2B  |.  8B45 00       MOV EAX,DWORD PTR SS:[EBP]
  0044AC2E  |.  C1E0 02       SHL EAX,2                 ; * 4
  0044AC31  |.  50            PUSH EAX
  0044AC32  |.  E8 81C50500   CALL <JMP.&MFC71U.#265>   ; malloc
  ...
  0044AC95  |.  8B47 28       MOV EAX,DWORD PTR DS:[EDI+28]
  0044AC98  |.  C1E0 02       SHL EAX,2                 ; * 4
  0044AC9B  |.  50            PUSH EAX
  0044AC9C  |.  C74424 20 020>MOV DWORD PTR SS:[ESP+20],2
  0044ACA4  |.  E8 0FC50500   CALL <JMP.&MFC71U.#265>   ; malloc
  ...
  0044ACE9  |>  8B47 30       MOV EAX,DWORD PTR DS:[EDI+30]
  0044ACEC  |.  C1E0 02       SHL EAX,2                 ; * 4
  0044ACEF  |.  50            PUSH EAX
  0044ACF0  |.  E8 C3C40500   CALL <JMP.&MFC71U.#265>   ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 3 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======


GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x4b2 caused by the allocation of the memory
needed for the creation of some arrays trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    32      malloc(x * 4)

Vulnerable code:
  0044B2E9  |.  8B17          MOV EDX,DWORD PTR DS:[EDI]    ; get 32bit
  0044B2EB  |.  C1E2 02       SHL EDX,2                     ; * 4
  0044B2EE  |.  52            PUSH EDX
  0044B2EF  |.  8947 08       MOV DWORD PTR DS:[EDI+8],EAX
  0044B2F2  |.  E8 C1BE0500   CALL <JMP.&MFC71U.#265>       ; malloc
  0044B2F7  |.  8947 0C       MOV DWORD PTR DS:[EDI+C],EAX
  0044B2FA  |.  8B07          MOV EAX,DWORD PTR DS:[EDI]
  0044B2FC  |.  C1E0 02       SHL EAX,2                     ; * 4
  0044B2FF  |.  50            PUSH EAX
  0044B300  |.  E8 B3BE0500   CALL <JMP.&MFC71U.#265>       ; malloc
  0044B305  |.  8B0F          MOV ECX,DWORD PTR DS:[EDI]
  0044B307  |.  C1E1 03       SHL ECX,3                     ; * 8
  0044B30A  |.  51            PUSH ECX
  0044B30B  |.  8947 10       MOV DWORD PTR DS:[EDI+10],EAX
  0044B30E  |.  E8 A5BE0500   CALL <JMP.&MFC71U.#265>       ; malloc
  0044B313  |.  8B17          MOV EDX,DWORD PTR DS:[EDI]
  0044B315  |.  C1E2 02       SHL EDX,2                     ; * 4
  0044B318  |.  52            PUSH EDX
  0044B319  |.  8947 14       MOV DWORD PTR DS:[EDI+14],EAX
  0044B31C  |.  E8 97BE0500   CALL <JMP.&MFC71U.#265>       ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 4 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x4b5 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    string
    string
    32
    32
    32      malloc(x * 4)

Vulnerable code:
  0044C538  |.  E8 33ACFCFF   CALL 00417170                                 ; get 32bit
  0044C53D  |.  8B45 00       MOV EAX,DWORD PTR SS:[EBP]
  0044C540  |.  85C0          TEST EAX,EAX
  0044C542  |.  76 6C         JBE SHORT 0044C5B0
  0044C544  |.  8D1485 000000>LEA EDX,DWORD PTR DS:[EAX*4]                  ; * 4
  0044C54B  |.  52            PUSH EDX
  0044C54C  |.  FF15 C0FF8400 CALL DWORD PTR DS:[<&ole32.CoTaskMemAlloc>]   ;  ole32.CoTaskMemAlloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 5 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x7d0 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    string
    string
    string
    32
    32      malloc(x * 4)

Vulnerable code:
  0044A44C  |.  E8 1FCDFCFF   CALL 00417170                 ; get 32bit
  0044A451  |.  8B03          MOV EAX,DWORD PTR DS:[EBX]
  0044A453  |.  85C0          TEST EAX,EAX
  0044A455  |.^ 74 C2         JE SHORT 0044A419
  0044A457  |.  8D0C85 000000>LEA ECX,DWORD PTR DS:[EAX*4]  ; * 4
  0044A45E  |.  51            PUSH ECX
  0044A45F  |.  E8 54CD0500   CALL <JMP.&MFC71U.#265>       ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 6 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcodes 0xdae and 0xdb0 that make use of the function
0044C6B0 caused by the allocation of the memory needed for the creation
of an array trusting the number of elements passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Vulnerable code:
  0044C7C8  |.  E8 A3A9FCFF   CALL 00417170                 ; get 32bit
  0044C7CD  |.  8B07          MOV EAX,DWORD PTR DS:[EDI]
  0044C7CF  |.  85C0          TEST EAX,EAX
  0044C7D1  |.^ 74 C5         JE SHORT 0044C798
  0044C7D3  |.  C1E0 02       SHL EAX,2                     ; * 4
  0044C7D6  |.  50            PUSH EAX
  0044C7D7  |.  E8 DCA90500   CALL <JMP.&MFC71U.#265>       ; malloc
  0044C7DC  |.  8B0F          MOV ECX,DWORD PTR DS:[EDI]
  0044C7DE  |.  C1E1 02       SHL ECX,2                     ; * 4
  0044C7E1  |.  51            PUSH ECX
  0044C7E2  |.  8947 04       MOV DWORD PTR DS:[EDI+4],EAX
  0044C7E5  |.  E8 CEA90500   CALL <JMP.&MFC71U.#265>       ; malloc

#######################################################################

Remote Integer Overflow:

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 7 SERVER

#######################################################################

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0xfa4 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    32      malloc(x * 8)

Vulnerable code:
  0044495D  |.  E8 0E28FDFF   CALL 00417170                 ; get 32bit
  00444962  |.  8B07          MOV EAX,DWORD PTR DS:[EDI]
  00444964  |.  3BC5          CMP EAX,EBP
  00444966  |.^ 76 C7         JBE SHORT 0044492F
  00444968  |.  8D14C5 000000>LEA EDX,DWORD PTR DS:[EAX*8]  ; * 8
  0044496F  |.  52            PUSH EDX
  00444970  |.  E8 43280600   CALL <JMP.&MFC71U.#265>       ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 8 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0xfa7 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    32      malloc(x * 4)

Vulnerable code:
  00444B0D  |.  E8 5E26FDFF   CALL 00417170                 ; get 32bit
  00444B12  |.  8B07          MOV EAX,DWORD PTR DS:[EDI]
  00444B14  |.  85C0          TEST EAX,EAX
  00444B16  |.^ 76 C1         JBE SHORT 00444AD9
  00444B18  |.  8D1485 000000>LEA EDX,DWORD PTR DS:[EAX*4]  ; * 4
  00444B1F  |.  52            PUSH EDX
  00444B20  |.  E8 93260600   CALL <JMP.&MFC71U.#265>       ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 9 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcodes 0x1BBC and 0x1BBD caused by the allocation of
the memory needed for the creation of an array trusting the number of
elements passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    string
    string
    32
    string
    string
    string
    32      malloc(x * 4)

Vulnerable code:
  0044CA69  |.  E8 02A7FCFF   CALL 00417170                 ; get 32bit
  0044CA6E  |.  8B03          MOV EAX,DWORD PTR DS:[EBX]
  0044CA70  |.  85C0          TEST EAX,EAX
  0044CA72  |.  76 6C         JBE SHORT 0044CAE0
  0044CA74  |.  C1E0 02       SHL EAX,2                     ; * 4
  0044CA77  |.  50            PUSH EAX
  0044CA78  |.  E8 3BA70500   CALL <JMP.&MFC71U.#265>       ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 10 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected an integer overflow vulnerability during the
handling of the opcode 0x1C84 caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    string
    string
    32
    32      malloc(x * 16)

Vulnerable code:
  0044CBE2  |.  E8 89A5FCFF   CALL 00417170                 ; get 32bit
  0044CBE7  |.  8B03          MOV EAX,DWORD PTR DS:[EBX]
  0044CBE9  |.  3BC5          CMP EAX,EBP
  0044CBEB  |.  76 3C         JBE SHORT 0044CC29
  0044CBED  |.  C1E0 04       SHL EAX,4                     ; * 16
  0044CBF0  |.  50            PUSH EAX
  0044CBF1  |.  E8 C2A50500   CALL <JMP.&MFC71U.#265>       ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 11 SERVER

#######################################################################

Remote Integer Overflow:

======
Bug
======

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x26ac caused by the allocation of the memory
needed for the creation of an array trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    32      malloc(x * 4)

Vulnerable code:
  00445AC7  |.  E8 A416FDFF   CALL 00417170                 ; get 32bit
  00445ACC  |.  8B03          MOV EAX,DWORD PTR DS:[EBX]
  00445ACE  |.  85C0          TEST EAX,EAX
  00445AD0  |.^ 76 BE         JBE SHORT 00445A90
  00445AD2  |.  8D1485 000000>LEA EDX,DWORD PTR DS:[EAX*4]  ; * 4
  00445AD9  |.  52            PUSH EDX
  00445ADA  |.  E8 D9160600   CALL <JMP.&MFC71U.#265>       ; malloc

#######################################################################

===========
The Code
===========

http://aluigi.org/poc/genesis_iof.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17023-2.zip (genesis_iof.zip)

  genesis_iof 12 SERVER

#######################################################################

======
4) Fix
======

No fix.

#######################################################################