209 lines
No EOL
6.2 KiB
Text
209 lines
No EOL
6.2 KiB
Text
Sources:
|
|
http://aluigi.org/adv/factorylink_1-adv.txt
|
|
http://aluigi.org/adv/factorylink_2-adv.txt
|
|
http://aluigi.org/adv/factorylink_3-adv.txt
|
|
http://aluigi.org/adv/factorylink_4-adv.txt
|
|
http://aluigi.org/adv/factorylink_5-adv.txt
|
|
http://aluigi.org/adv/factorylink_6-adv.txt
|
|
|
|
Advisory Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-1.tar.gz (siemens_factory_link_adv.tar.gz)
|
|
PoC Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-2.tar.gz (siemens_factory_link_poc.tar.gz)
|
|
|
|
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: Siemens Tecnomatix FactoryLink
|
|
http://www.usdata.com/sea/FactoryLink/en/p_nav1.html
|
|
http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml
|
|
Versions: <= 8.0.1.1473
|
|
Date: 21 Mar 2011 (found 02 Jan 2011)
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
#######################################################################
|
|
|
|
===============
|
|
Introduction
|
|
===============
|
|
|
|
From vendor's website:
|
|
"Siemens FactoryLink monitors, supervises, and controls industrial
|
|
processes by enabling customers to perfect their processes and
|
|
products. Built on an advanced open architecture, FactoryLink delivers
|
|
the highest performance and flexibility to customers building vertical
|
|
applications in a wide range of industries.
|
|
Highly scaleable, FactoryLink can be used to build virtually any size
|
|
application, from the simplest Human-Machine Interface (HMI) systems to
|
|
the most complex and demanding Supervisory Control and Data Acquisition
|
|
(SCADA) systems."
|
|
|
|
Remote Stack Overflow:
|
|
|
|
======
|
|
Bug
|
|
======
|
|
CSService is a Windows service listening on port 7580.
|
|
|
|
The logging function is vulnerable to a buffer-overflow caused by the
|
|
usage of vsprintf with a stack buffer of 1024 bytes.
|
|
The vulnerability can be exploited from remote in various ways like the
|
|
passing of a big path or filter string in the file related operations
|
|
(opcodes 6, 8 and 10).
|
|
|
|
===========
|
|
The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/factorylink_x.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-x.zip (factorylink_x.zip)
|
|
|
|
factorylink_x 3 SERVER
|
|
|
|
#######################################################################
|
|
|
|
Arbitrary Files Reading and Listing:
|
|
|
|
======
|
|
Bug
|
|
======
|
|
|
|
CSService is a Windows service listening on port 7580.
|
|
|
|
All the file operations used by the service (opcodes 6, 8 and 10) allow
|
|
to specify arbitrary files and directories (absolute paths) and it's
|
|
possible for an attacker to download any remote file on the server.
|
|
Obviously it's possible also to specify directory traversal paths.
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/factorylink_x.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-x.zip (factorylink_x.zip)
|
|
|
|
for downloading c:\boot.ini
|
|
factorylink_x 4 SERVER
|
|
|
|
for viewing the list of files in c:\
|
|
factorylink_x 5 SERVER
|
|
|
|
#######################################################################
|
|
|
|
Remote Memory Corruption:
|
|
|
|
======
|
|
Bug
|
|
======
|
|
|
|
vrn.exe is a server listening on port 7579 when a project is started.
|
|
|
|
There is a particular function used to parse the text fields located in
|
|
the strings of the opcode 10.
|
|
It copies the string delimited by a ';' or a space in the stack buffer
|
|
provided by the callee function causing a stack overflow that allows a
|
|
certain control on the code flow (for example the changing of the lower
|
|
8bit of the return address or another exception).
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
The Code
|
|
===========
|
|
|
|
http://aluigi.org/poc/factorylink_3.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-3.zip (factorylink_3.zip)
|
|
|
|
nc SERVER 7579 < factorylink_3.dat
|
|
|
|
#######################################################################
|
|
|
|
Remote Stack Overflow:
|
|
|
|
======
|
|
Bug
|
|
======
|
|
|
|
|
|
vrn.exe is a server listening on port 7579 when a project is started.
|
|
|
|
There is a particular function used to parse the text fields located in
|
|
the strings of the opcode 9.
|
|
It copies the string delimited by a ';' or a space in the stack buffer
|
|
provided by the callee function causing a classical stack overflow.
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
The Code
|
|
===========
|
|
|
|
http://aluigi.org/poc/factorylink_4.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-4.zip (factorylink_4.zip)
|
|
|
|
nc SERVER 7579 < factorylink_4.dat
|
|
|
|
#######################################################################
|
|
|
|
Arbitrary File Download:
|
|
|
|
======
|
|
Bug
|
|
======
|
|
|
|
vrn.exe is a server listening on port 7579 when a project is started.
|
|
|
|
The opcode 8 can be used to download any arbitrary file on the system
|
|
by specifiying the full path (UNC too) or directory traversal.
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
The Code
|
|
===========
|
|
|
|
http://aluigi.org/poc/factorylink_5.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-5.zip (factorylink_5.zip)
|
|
|
|
download c:\boot.ini
|
|
nc SERVER 7579 < factorylink_5.dat
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
Bug
|
|
======
|
|
|
|
CSService, connsrv and datasrv are various Windows services.
|
|
|
|
All these services are vulneable to some Denial of Service
|
|
vulnerabilities that allow to crash them due to NULL pointer
|
|
dereferences, stack exaustions and raised exceptions.
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
The Code
|
|
===========
|
|
|
|
http://aluigi.org/poc/factorylink_x.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17022-x.zip (factorylink_x.zip)
|
|
|
|
factorylink_x 1 SERVER
|
|
factorylink_x 2 SERVER
|
|
factorylink_x 6 SERVER
|
|
factorylink_x 7 SERVER
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
Fix
|
|
======
|
|
|
|
No fix.
|
|
|
|
####################################################################### |