#######################################################################

                             Luigi Auriemma

Application:  Iconics GENESIS32 and GENESIS64
              http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS32.aspx
              http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS64.aspx
Versions:     GENESIS32 <= 9.21
              GENESIS64 <= 10.51
              GenBroker.exe and GenBroker64.exe are the same version on
              both the softwares: 9.21.201.01
Platforms:    Windows
Bug:          freeing of arbitrary or unitialized memory
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 08 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Iconics Genesis is a SCADA HMI solution used worldwide with customers
that go from Beijing Traffic Control Center to the Pentagon and even
Poste Italiane ("Case Studies" source).

Informations from the vendor's website:
"GENESIS32 is the industrys first and only fully scalable suite of
OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications."


#######################################################################

======
2) Bug
======


GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by multiple freeing of initialized memory
pointers and arbitrary locations because:
- the functions that store the strings pointers read from the client
  automatically break the reading loop when the end of the packet is
  reached
- these functions use malloc instead of calloc so the memory is not
  cleared
- the functions that free the arrays don't know if and when the reading
  process stopped and so they call free() over all the elements
  specified by the attacker in his packet

The exploitability of these vulnerabilities depends by how the attacker
has corrupted the memory for forcing the freeing of arbitrary locations
through the sending of valid packets before the malformed one.
The service is multi-thread so there are many chances of exploitation.

The following is the full list of vulnerable opcodes and the read/free
functions to monitor (referred to version 9.2):

1) opcode 0x4b0:
    read loop: 0044ACC0 and 0044AD04
    free loop: 004446B0

2) opcode 0x4b2:
    read loop: 0044B360
    free loop: 004428F0

3) opcode 0x4b5:
    read loop: 0044C560
    free loop: 00443090

4) function 0044C6B0 used by opcodes 0xDAE and 0xDB0.
    read loop: 0044c800
    free loop: 00443160

5) opcodes 0x1BBC and 0x1BBD:
    read loop: 0044ca90
    free loop: 004432a0


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/genesis_1.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
