#######################################################################

                             Luigi Auriemma

Application:  IGSS (Interactive Graphical SCADA System)
              http://www.igss.com
              http://www.7t.dk
Versions:     IGSSdataServer.exe <= 9.00.00.11063
Platforms:    Windows
Bug:          stack overflow
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 10 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


IGSS (Interactive Graphical SCADA system) is a SCADA solution developed
by the 7-Technologies and used mainly in Denmark and US.

Informations from the vendor's website:
"IGSS is the complete automation software  a SCADA system for process
control and supervision - with a long row of releases since the start
of 7T 25 years ago.
At that time, 7T was the first company in the world to develop an
object oriented and mouse operated SCADA system under the name of
IGSS."


#######################################################################

======
2) Bug
======


IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x7 is used for handling the RMS report templates and
through the "Add" command (0x4) is possible to exploit some buffer
overflows caused by the copying of the client strings in small stack
buffers:

  00409B4F   .  8D46 04       LEA EAX,DWORD PTR DS:[ESI+4]  ; string from offset 0x16 of the packet
  00409B52   .  8D5424 1A     LEA EDX,DWORD PTR SS:[ESP+1A]
  00409B56   .  83C4 0C       ADD ESP,0C
  00409B59   .  2BD0          SUB EDX,EAX
  00409B5B   .  EB 03         JMP SHORT 00409B60
  00409B5D      8D49 00       LEA ECX,DWORD PTR DS:[ECX]
  00409B60   >  8A08          MOV CL,BYTE PTR DS:[EAX]
  00409B62   .  880C02        MOV BYTE PTR DS:[EDX+EAX],CL
  00409B65   .  40            INC EAX
  00409B66   .  84C9          TEST CL,CL
  00409B68   .^ 75 F6         JNZ SHORT 00409B60
  00409B6A   .  8A46 71       MOV AL,BYTE PTR DS:[ESI+71]
  00409B6D   .  884424 0D     MOV BYTE PTR SS:[ESP+D],AL
  00409B71   .  8D46 2C       LEA EAX,DWORD PTR DS:[ESI+2C] ; from offset 0x3e
  00409B74   .  8D5424 36     LEA EDX,DWORD PTR SS:[ESP+36]
  00409B78   .  2BD0          SUB EDX,EAX
  00409B7A   .  8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
  00409B80   >  8A08          MOV CL,BYTE PTR DS:[EAX]
  00409B82   .  880C02        MOV BYTE PTR DS:[EDX+EAX],CL
  00409B85   .  40            INC EAX
  00409B86   .  84C9          TEST CL,CL
  00409B88   .^ 75 F6         JNZ SHORT 00409B80
  00409B8A   .  8D46 6C       LEA EAX,DWORD PTR DS:[ESI+6C] ; from offset 0x7e
  00409B8D   .  8D5424 76     LEA EDX,DWORD PTR SS:[ESP+76]
  00409B91   .  2BD0          SUB EDX,EAX
  00409B93   >  8A08          MOV CL,BYTE PTR DS:[EAX]
  00409B95   .  880C02        MOV BYTE PTR DS:[EDX+EAX],CL
  00409B98   .  40            INC EAX
  00409B99   .  84C9          TEST CL,CL
  00409B9B   .^ 75 F6         JNZ SHORT 00409B93


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/igss_3.zip

  nc SERVER 12401 < igss_3.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
