#######################################################################

                             Luigi Auriemma

Application:  Iconics GENESIS32 and GENESIS64
              http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS32.aspx
              http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS64.aspx
Versions:     GENESIS32 <= 9.21
              GENESIS64 <= 10.51
              GenBroker.exe and GenBroker64.exe are the same version on
              both the softwares: 9.21.201.01
Platforms:    Windows
Bug:          integer overflow
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 08 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Iconics Genesis is a SCADA HMI solution used worldwide with customers
that go from Beijing Traffic Control Center to the Pentagon and even
Poste Italiane ("Case Studies" source).

Informations from the vendor's website:
"GENESIS32 is the industrys first and only fully scalable suite of
OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications."


#######################################################################

======
2) Bug
======


GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by three integer overflow vulnerabilities
during the handling of the opcode 0x4b0 caused by the allocation of the
memory needed for the creation of some arrays trusting the numbers of
elements passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    string
    string
    32
    32
    32
    32
    32
    32
    32
    32
    32      malloc(x * 4)
    ...
    32      malloc(x * 4)
    ...
    32      malloc(x * 4)

Vulnerable code:
  0044AC26  |.  E8 45C5FCFF   CALL 00417170             ; get 32bit
  0044AC2B  |.  8B45 00       MOV EAX,DWORD PTR SS:[EBP]
  0044AC2E  |.  C1E0 02       SHL EAX,2                 ; * 4
  0044AC31  |.  50            PUSH EAX
  0044AC32  |.  E8 81C50500   CALL <JMP.&MFC71U.#265>   ; malloc
  ...
  0044AC95  |.  8B47 28       MOV EAX,DWORD PTR DS:[EDI+28]
  0044AC98  |.  C1E0 02       SHL EAX,2                 ; * 4
  0044AC9B  |.  50            PUSH EAX
  0044AC9C  |.  C74424 20 020>MOV DWORD PTR SS:[ESP+20],2
  0044ACA4  |.  E8 0FC50500   CALL <JMP.&MFC71U.#265>   ; malloc
  ...
  0044ACE9  |>  8B47 30       MOV EAX,DWORD PTR DS:[EDI+30]
  0044ACEC  |.  C1E0 02       SHL EAX,2                 ; * 4
  0044ACEF  |.  50            PUSH EAX
  0044ACF0  |.  E8 C3C40500   CALL <JMP.&MFC71U.#265>   ; malloc


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/genesis_iof.zip

  genesis_iof 3 SERVER


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
