Vulnerabilities in some SCADA server softwares

Type securityvulns
Reporter Securityvulns
Modified 2011-03-25T00:00:00


The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment.

In case someone doesn't know SCADA (like me before the tests): it's just one or more softwares (usually a core, a graphical part and a database) that allow people to monitor and control the various hardware sensors and mechanisms located in industrial environments like nuclear plants, refineries, gas pipelines, airports and other less and more critical fields that go from the energy to the public infrastructures and obviously also the small "normal" industries.

In technical terms the SCADA software is just the same as any other software used everyday, so with inputs (in this case they are servers so the input is the TCP/IP network) and vulnerabilities: stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees, memory corruptions, directory traversals, design problems and various other bugs.

Full-disclosure advisories and proof-of-concepts:

Siemens Tecnomatix FactoryLink: (DoS only)

Iconics GENESIS32 and GENESIS64:

7-Technologies IGSS (Interactive Graphical SCADA System):

DATAC RealWin:

Luigi Auriemma