#######################################################################

                             Luigi Auriemma

Application:  DATAC RealWin
              http://www.dataconline.com/software/realwin.php
              http://www.realflex.com
Versions:     <= 2.1 (Build 6.1.10.10)
Platforms:    Windows
Bug:          stack overflow
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 25 Nov 2010)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"RealWin is a SCADA server package for medium / small applications."


#######################################################################

======
2) Bug
======


The part of the server listening on port 910 is vulnerable to some
buffer overflows happening during the handling of various
On_FC_BINFILE_FCS_*FILE packets in which is available a string
containing a filename used for performing some operations.
This filename is appended in a stack buffer of 256 bytes for building
the full path of a file through function 004275b0 causing the overflow.

The bugs are located in different functions but I have grouped them in
this same advisory because the format and the performed operations are
similar.

List of the vulnerable functions:
- realwin_5a: 0042f770
- realwin_5b: 0042f670
- realwin_5c: 0042f9c0 -> 0042f770
- realwin_5d: 00427790
- realwin_5e: 004280b0
- realwin_5f: 00427880


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/realwin_5.zip

  nc SERVER 910 < realwin_5?.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
