#######################################################################

                             Luigi Auriemma

Application:  IGSS (Interactive Graphical SCADA System)
              http://www.igss.com
              http://www.7t.dk
Versions:     IGSSdataServer.exe <= 9.00.00.11063
Platforms:    Windows
Bug:          multiple stack overflows
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 10 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


IGSS (Interactive Graphical SCADA system) is a SCADA solution developed
by the 7-Technologies and used mainly in Denmark and US.

Informations from the vendor's website:
"IGSS is the complete automation software  a SCADA system for process
control and supervision - with a long row of releases since the start
of 7T 25 years ago.
At that time, 7T was the first company in the world to develop an
object oriented and mouse operated SCADA system under the name of
IGSS."


#######################################################################

======
2) Bug
======


IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0xd is used for the file operations that cover creation,
reading, writing, deleting, renaming and so on.

All the commands supported by this opcode except "FileReserve" (0x7)
are affected by different buffer overflow vulnerabilities caused by the
copying of the filename provided by the client in stack buffers of 256
bytes.

The following is the list of the copying functions for each command
(I don't remember the exact version from which I got them):

  "ListAll" (0x1)       00406e91
  "Write File" (0x2)    004071dd
  "ReadFile" (0x3)      004072fd
  "Delete" (0x4)        00406fad
  "RenameFile" (0x5)    00407094 and 004070cf
  "FileInfo" (0x6)      0040746f


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/igss_2.zip

  nc SERVER 12401 < igss_2a.dat
  nc SERVER 12401 < igss_2b.dat
  nc SERVER 12401 < igss_2c.dat
  nc SERVER 12401 < igss_2d.dat
  nc SERVER 12401 < igss_2e.dat
  nc SERVER 12401 < igss_2f.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
