#######################################################################

                             Luigi Auriemma

Application:  DATAC RealWin
              http://www.dataconline.com/software/realwin.php
              http://www.realflex.com
Versions:     <= 2.1 (Build 6.1.10.10)
Platforms:    Windows
Bug:          stack overflow
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 25 Nov 2010)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"RealWin is a SCADA server package for medium / small applications."


#######################################################################

======
2) Bug
======


The part of the server listening on port 910 is vulnerable to a buffer
overflow happening during the handling of the
On_FC_CGETTAG_FCS_GETTELEMETRY, On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY,
On_FC_CGETTAG_FCS_SETTELEMETRY and
On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY packets where the input string is
used for building a file path on a stack buffer of about 200 bytes:

  sprintf(
    stack_buffer,
    "C:\\Program Files\\DATAC\\Real.Win\\DemoRW-1.06\\\\realflex\\data\\crt\\fwd\\tel\\%s.tel",
    input_string);

Note that the bugs are located in different functions but I have
grouped them here because the format and the performed operations are
similar.

List of the vulnerable functions:
- realwin_7a: 00467050
- realwin_7b: 00467520
- realwin_7c: 00467860
- realwin_7d: 00467ce0


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/realwin_7.zip

  nc SERVER 910 < realwin_7?.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
