#######################################################################

                             Luigi Auriemma

Application:  IGSS (Interactive Graphical SCADA System)
              http://www.igss.com
              http://www.7t.dk
Versions:     IGSSdataServer.exe <= 9.00.00.11063
Platforms:    Windows
Bug:          stack overflow
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 10 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


IGSS (Interactive Graphical SCADA system) is a SCADA solution developed
by the 7-Technologies and used mainly in Denmark and US.

Informations from the vendor's website:
"IGSS is the complete automation software  a SCADA system for process
control and supervision - with a long row of releases since the start
of 7T 25 years ago.
At that time, 7T was the first company in the world to develop an
object oriented and mouse operated SCADA system under the name of
IGSS."


#######################################################################

======
2) Bug
======


IGSSdataServer.exe is a server running on port 12401 active when the
project is started.

The opcode 0x8 is used for handling the STDREP requests and through the
command 0x4 is possible to exploit a buffer overflow caused by the
building of a SQL query using a stack buffer of 256 bytes:

  0040A4B5   .  8B46 04       MOV EAX,DWORD PTR DS:[ESI+4]
  0040A4B8   .  8B48 16       MOV ECX,DWORD PTR DS:[EAX+16]
  0040A4BB   .  51            PUSH ECX
  0040A4BC   .  83C0 1A       ADD EAX,1A
  0040A4BF   .  50            PUSH EAX
  0040A4C0   .  68 7C984300   PUSH 0043987C     ; "UPDATE ReportFormats SET RMSref={%s} WHERE (FormatID=%d)"
  0040A4C5   .  8BD7          MOV EDX,EDI
  0040A4C7   .  52            PUSH EDX
  0040A4C8   .  E8 9D620100   CALL 0042076A     ; sprintf

Note that is not clear if this vulnerability is exploitable for code
execution.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/igss_7.zip

  nc SERVER 12401 < igss_7.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
