TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability

2015-11-15T00:00:00
ID ZSL-2015-5278
Type zeroscience
Reporter Gjoko Krstic
Modified 2015-11-15T00:00:00

Description

Title: TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability
Advisory ID: ZSL-2015-5278
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 15.11.2015

Summary

AP-PCLINK is the supportive software for TP03 or AP series, providing three edit modes as LADDER, IL, FBDand SFC, by which programs can be input rapidly and correctly. Every form written into the TP03 or AP series and AP-PCLINK can be monitored in the form of the data.

Description

The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .TPC file. Successful exploitation could allow execution of arbitrary code on the affected machine.

--------------------------------------------------------------------------------

Critical error detected c0000374 (1950.ff0): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=76f70b42 edx=0018d98d esi=00360000 edi=41414141 eip=76fce725 esp=0018dbe0 ebp=0018dc58 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 ntdll!RtlpNtEnumerateSubKey+0x1af8: 76fce725 cc int 3
--------------------------------------------------------------------------------

Vendor

TECO Electric and Machinery Co., Ltd. - <http://www.teco-group.eu>

Affected Version

1.094

Tested On

Microsoft Windows 7 Professional SP1 (EN) 64bit
Microsoft Windows 7 Ultimate SP1 (EN) 64bit

Vendor Status

[09.10.2015] Vulnerability discovered.
[15.10.2015] Contact with the vendor.
[14.11.2015] No response from the vendor.
[15.11.2015] Public security advisory released.

PoC

aptpc.txt
aptpc-5278.zip

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/38703/>
[2] <https://cxsecurity.com/issue/WLB-2015110113>
[3] <https://packetstormsecurity.com/files/134387>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/108086>

Changelog

[15.11.2015] - Initial release
[17.11.2015] - Added reference [1], [2] and [3]
[18.11.2015] - Added reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            #!/usr/bin/perl
#
#
# TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 1.094
#
# Summary: AP-PCLINK is the supportive software for TP03 or AP series, providing
# three edit modes as LADDER, IL, FBDand SFC, by which programs can be input rapidly
# and correctly. Every form written into the TP03 or AP series and AP-PCLINK can
# be monitored in the form of the data.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a project file, which can be exploited to cause a buffer overflow when a
# user opens e.g. a specially crafted .TPC file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# Critical error detected c0000374
# (1950.ff0): Break instruction exception - code 80000003 (first chance)
# eax=00000000 ebx=00000000 ecx=76f70b42 edx=0018d98d esi=00360000 edi=41414141
# eip=76fce725 esp=0018dbe0 ebp=0018dc58 iopl=0         nv up ei pl nz na po nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
# ntdll!RtlpNtEnumerateSubKey+0x1af8:
# 76fce725 cc              int     3
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
#            Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2015-5278
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5278.php
#
#
# 09.10.2015
#


PoC:

- http://zeroscience.mk/codes/aptpc-5278.zip