#######################################################################
Luigi Auriemma
Application: Measuresoft ScadaPro
http://www.measuresoft.com/products/scada-products.aspx
Versions: <= 4.0.0
Platforms: Windows
Bugs: arbitrary commands execution
directory traversal in read, write and delete mode
tons of stack overflow vulnerabilities
various Denial of Service vulnerabilities
Exploitation: remote
Date: 13 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"ScadaPro is Real Time Data Acquisition software for Microsoft Windows.
Optimised to use the powerful real time, multi-tasking features of
Windows, ScadaPro provides integrated data acquisition, monitoring,
data logging, mimic development and report generation."
#######################################################################
=======
2) Bugs
=======
service.exe is a service listening on port 11234.
Initially I started to test this software as usual by checking all the
operations performed by the various opcodes which are divided in a
group identified by the second byte of the packet while the first one
is the opcode for the final operation.
The function that handles the various groups and opcodes is available
at offset 004061F0.
The problem is that there are so much security vulnerabilities and
design problems in this service that makes non convenient to continue
the tests so after the checking of the opcodes of the 'F' group and a
quick scan of the others I stopped any test to avoid to waste other
time.
It means that there are for sure other vulnerabilities but the most
importants (stack overflows, code execution and files access) have been
covered in the 'F' group and the main stack overflows of all the groups
can be catched with the simple scanner I linked in the next section.
In short there are stack overflow vulnerabilities in almost all the
supported commands and they are divided in sscanf and in-line strcpy
functions like the following taken from the "TF" command:
0040A0D9 . 8D5424 38 LEA EDX,DWORD PTR SS:[ESP+38]
0040A0DD . 52 PUSH EDX
0040A0DE . 68 84D46700 PUSH service.0067D484 ; "%s"
0040A0E3 . 57 PUSH EDI
0040A0E4 . E8 12F20000 CALL service.004192FB ; sscanf
...
0040A114 > 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
0040A118 . 8BC7 MOV EAX,EDI
0040A11A . 2BD7 SUB EDX,EDI
0040A11C . 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
0040A120 > 8A08 MOV CL,BYTE PTR DS:[EAX]
0040A122 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL
0040A125 . 83C0 01 ADD EAX,1
0040A128 . 84C9 TEST CL,CL
0040A12A .^75 F4 JNZ SHORT service.0040A120
Obviously there are many Denial of Service bugs too.
Then there is full control over the files to read and write and the
possibility to use directory traversal attacks like in the "RF" and
"wF" (the first char is lower because there is a check for avoiding its
usage), example of the tab-separeted arguments:
RF%
filename
ReadFile.nNumberOfBytesToRead
SetFilePointer.lDistanceToMove
SetFilePointer.dwMoveMethod
CreateFile.dwDesiredAccess
CreateFile.dwShareMode
???
CreateFile.dwCreationDisposition
CreateFile.dwFlagsAndAttributes
content if in write mode
It's also possible to delete files and whole folders (included their
files) via the "UF" and "NF" commands.
Then it's possible to pass custom arguments to the backup commands like
what happens with "BF", "OF" and "EF" while executing mszip because the
arguments are not sanitized versus the injection of the '"' char.
The program supports also other backup programs like tar and compress.
And finally, through the "XF" command it's possible to execute an
arbitrary function of a dll, for example the "system" one of msvcrt.dll
for executing any desired custom command.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/17844-1.zip
only a simple scanner:
udpsz -d 2 -c "xx%" -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
udpsz -d 2 -c "xx%test\t" -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
udpsz -d 2 -c "xx%test," -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
http://aluigi.org/poc/scadapro_1.zip
http://www.exploit-db.com/sploits/17844-2.zip
nc SERVER 11234 < scadapro_1b.dat ; read c:\boot.ini
nc SERVER 11234 < scadapro_1c.dat ; create c:\evil_file.txt
nc SERVER 11234 < scadapro_1d.dat ; delete c:\valid_file.txt
nc SERVER 11234 < scadapro_1e.dat ; execute notepad
#######################################################################
======
4) Fix
======
No fix.
#######################################################################