Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2016-5309
HistoryFeb 29, 2016 - 12:00 a.m.

Crouzet em4 soft 1.1.04 Integer Division By Zero

2016-02-2900:00:00
Gjoko Krstic
zeroscience.mk
56

7.4 High

AI Score

Confidence

High

JSON

Title: Crouzet em4 soft 1.1.04 Integer Division By Zero
Advisory ID: ZSL-2016-5309
Type: Local/Remote
Impact: DoS
Risk: (1/5)
Release Date: 29.02.2016

Summary

em4 is more than just a nano-PLC. It is a leading edge device supported by best-in-class tools that enables you to create and implement the smartest automation applications.

Description

em4 soft suffers from a division by zero attack when handling Crouzet Logic Software Document ‘.pm4’ files, resulting in denial of service vulnerability and possibly loss of data.

--------------------------------------------------------------------------------

(187c.1534): Integer divide-by-zero - code c0000094 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for image013b0000 *** ERROR: Module load completed but symbols could not be loaded for image013b0000 eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18 eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 image013b0000+0x3a575: 013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000 0:000> u image013b0000+0x3a575: 013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] 013ea57b 8d4de0 lea ecx,[ebp-20h] 013ea57e c745fc00000000 mov dword ptr [ebp-4],0 013ea585 50 push eax 013ea586 6808505b01 push offset image013b0000+0x205008 (015b5008) 013ea58b 51 push ecx 013ea58c ff15b0575a01 call dword ptr [image013b0000+0x1f57b0 (015a57b0)] 013ea592 8b870c010000 mov eax,dword ptr [edi+10Ch]
--------------------------------------------------------------------------------

Vendor

Crouzet Automatismes SAS - <http://www.crouzet-automation.com>

Affected Version

1.1.04 and 1.1.03.01

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vendor Status

[25.01.2016] Vulnerability discovered.
[03.02.2016] Vendor contacted.
[28.02.2016] No response from the vendor.
[29.02.2016] Public security advisory released.

PoC

crouzet_em4_dividezero.txt
poc5309.pm4.zip

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://cxsecurity.com/issue/WLB-2016030013&gt;
[2] <https://packetstormsecurity.com/files/136020&gt;
[3] <https://www.exploit-db.com/exploits/39509/&gt;
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/111163&gt;

Changelog

[29.02.2016] - Initial release
[01.03.2016] - Added reference [1], [2] and [3]
[03.03.2016] - Added reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>Crouzet em4 soft 1.1.04 Integer Division By Zero


Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: 1.1.04 and 1.1.03.01

Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.

Desc: em4 soft suffers from a division by zero attack when handling
Crouzet Logic Software Document '.pm4' files, resulting in denial
of service vulnerability and possibly loss of data.

---------------------------------------------------------------------
(187c.1534): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image013b0000
*** ERROR: Module load completed but symbols could not be loaded for image013b0000
eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18
eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
image013b0000+0x3a575:
013ea575 f7bf18010000    idiv    eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000
0:000&gt; u
image013b0000+0x3a575:
013ea575 f7bf18010000    idiv    eax,dword ptr [edi+118h]
013ea57b 8d4de0          lea     ecx,[ebp-20h]
013ea57e c745fc00000000  mov     dword ptr [ebp-4],0
013ea585 50              push    eax
013ea586 6808505b01      push    offset image013b0000+0x205008 (015b5008)
013ea58b 51              push    ecx
013ea58c ff15b0575a01    call    dword ptr [image013b0000+0x1f57b0 (015a57b0)]
013ea592 8b870c010000    mov     eax,dword ptr [edi+10Ch]
---------------------------------------------------------------------

Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5309
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5309.php


25.01.2016

--


PoC: 

http://zeroscience.mk/codes/poc5309.pm4.zip
</p></body></html>

7.4 High

AI Score

Confidence

High

JSON