progea movicon / powerhmi 11.2.1085 - Multiple Vulnerabilities

EDB-ID:

17842

CVE:

2011-3499 2011-3498 2011-3491

EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2011-09-14

Vulnerable App: 
#######################################################################

                             Luigi Auriemma

Application:  Progea Movicon / PowerHMI
              http://www.progea.com
Versions:     <= 11.2.1085
Platforms:    Windows
Bug:          memory corruption
Exploitation: remote
Date:         13 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Movicon is an italian SCADA/HMI software.


#######################################################################

======
2-1) Bug
======


When the software runs a project it listens on port 808 for accepting
some HTTP requests.

The server is affected by a heap overflow caused by the usage of a
negative Content-Length field which allows to corrupt the memory
through "memcpy(heap_buffer, input, content_length_size)".


#######################################################################

===========
3-1) The Code
===========


http://aluigi.org/poc/movicon_1.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-1.dat

  nc SERVER 808 < movicon_1.dat


#######################################################################

======
2-2) Bug
======


When the software runs a project it listens on port 808 for accepting
some HTTP requests.

The server is affected by a heap overflow caused by the usage of a
buffer of 8192 bytes for containing the incoming HTTP requests.


#######################################################################

===========
3-2) The Code
===========


http://aluigi.org/testz/udpsz.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15707.zip

  udpsz -T -b 0x61 SERVER 808 10000


#######################################################################

======
2-3) Bug
======


When the software runs a project it listens on port 808 for accepting
some HTTP requests and on port 12233 for a particular "EIDP" protocol.

Through a too big size field in the "EIDP" packets tunnelled via the
web service (doesn't seem possible to exploit the bug via the original
port) it's possible to write a 0x00 byte in an arbitrary memory zone
higher than 0x7fffffff:

  00a29001 c6041100     mov byte ptr [ecx+edx],0    ds:0023:80616161=??

This limitation could make the bug interesting only in some 64bit
environments.


#######################################################################

===========
3-3) The Code
===========


http://aluigi.org/poc/movicon_3.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-3.dat

  nc SERVER 808 < movicon_3.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services