#######################################################################

                             Luigi Auriemma

Application:  Siemens Tecnomatix FactoryLink
              http://www.usdata.com/sea/FactoryLink/en/p_nav1.html
              http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml
Versions:     <= 8.0.1.1473
Platforms:    Windows
Bugs:         Denial of Service
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 02 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Siemens FactoryLink monitors, supervises, and controls industrial
processes by enabling customers to perfect their processes and
products. Built on an advanced open architecture, FactoryLink delivers
the highest performance and flexibility to customers building vertical
applications in a wide range of industries.
Highly scaleable, FactoryLink can be used to build virtually any size
application, from the simplest Human-Machine Interface (HMI) systems to
the most complex and demanding Supervisory Control and Data Acquisition
(SCADA) systems."


#######################################################################

======
2) Bug
======


CSService, connsrv and datasrv are various Windows services.

All these services are vulneable to some Denial of Service
vulnerabilities that allow to crash them due to NULL pointer
dereferences, stack exaustions and raised exceptions.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/factorylink_x.zip

  factorylink_x 1 SERVER
  factorylink_x 2 SERVER
  factorylink_x 6 SERVER
  factorylink_x 7 SERVER


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
