#######################################################################

                             Luigi Auriemma

Application:  IGSS (Interactive Graphical SCADA System)
              http://www.igss.com
              http://www.7t.dk
Versions:     dc.exe <= 9.00.00.11059
Platforms:    Windows
Bug:          arbitrary command execution
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 10 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


IGSS (Interactive Graphical SCADA system) is a SCADA solution developed
by the 7-Technologies and used mainly in Denmark and US.

Informations from the vendor's website:
"IGSS is the complete automation software  a SCADA system for process
control and supervision - with a long row of releases since the start
of 7T 25 years ago.
At that time, 7T was the first company in the world to develop an
object oriented and mouse operated SCADA system under the name of
IGSS."


#######################################################################

======
2) Bug
======


dc.exe is a server running on port 12397 active when the project is
started.

The opcodes 0xa and 0x17 are used for launching the executables located
in the folder of the software but through directory traversal is
possible to execute any arbitrary executable on the disk where is
located the software and specifying any argument for its execution.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/igss_8.zip

Two examples for executing calc.exe ("calc.exe arg1 arg2 arg3"):
  nc SERVER 12397 < igss_8a.dat
  nc SERVER 12397 < igss_8b.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
