#######################################################################

                             Luigi Auriemma

Application:  IGSS (Interactive Graphical SCADA System)
              http://www.igss.com
              http://www.7t.dk
Versions:     IGSSdataServer.exe <= 9.00.00.11063
Platforms:    Windows
Bug:          stack overflow
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 10 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


IGSS (Interactive Graphical SCADA system) is a SCADA solution developed
by the 7-Technologies and used mainly in Denmark and US.

Informations from the vendor's website:
"IGSS is the complete automation software  a SCADA system for process
control and supervision - with a long row of releases since the start
of 7T 25 years ago.
At that time, 7T was the first company in the world to develop an
object oriented and mouse operated SCADA system under the name of
IGSS."


#######################################################################

======
2) Bug
======


IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x7 is used for handling the RMS report templates and
through the "ReadFile" (0x6) and "Write File" (0x5) commands is
possible to exploit a buffer overflow caused by the building of a full
path string using a stack buffer of 256 bytes located on the caller
function:

  0040F840  /$  8B4424 04          MOV EAX,DWORD PTR SS:[ESP+4]
  0040F844  |.  50                 PUSH EAX
  0040F845  |.  83C1 04            ADD ECX,4
  0040F848  |.  51                 PUSH ECX
  0040F849  |.  8B4C24 10          MOV ECX,DWORD PTR SS:[ESP+10]
  0040F84D  |.  68 54A54300        PUSH 0043A554                ; "%s\%s.RMS"
  0040F852  |.  51                 PUSH ECX
  0040F853  |.  E8 120F0100        CALL 0042076A                ; sprintf
  0040F858  |.  83C4 10            ADD ESP,10
  0040F85B  \.  C2 0800            RETN 8


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/igss_4.zip

Proof-of-concept via "ReadFile":
  nc SERVER 12401 < igss_4a.dat

Proof-of-concept via "Write File":
  nc SERVER 12401 < igss_4b.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
