#######################################################################

                             Luigi Auriemma

Application:  Iconics GENESIS32 and GENESIS64
              http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS32.aspx
              http://www.iconics.com/Home/Products/HMI-and-SCADA/GENESIS64.aspx
Versions:     GENESIS32 <= 9.21
              GENESIS64 <= 10.51
              GenBroker.exe and GenBroker64.exe are the same version on
              both the softwares: 9.21.201.01
Platforms:    Windows
Bug:          integer overflow
Exploitation: remote, versus server
Date:         21 Mar 2011 (found 08 Jan 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Iconics Genesis is a SCADA HMI solution used worldwide with customers
that go from Beijing Traffic Control Center to the Pentagon and even
Poste Italiane ("Case Studies" source).

Informations from the vendor's website:
"GENESIS32 is the industrys first and only fully scalable suite of
OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications."


#######################################################################

======
2) Bug
======


GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32
9.2.

The service is affected by an integer overflow vulnerability during the
handling of the opcode 0x4b2 caused by the allocation of the memory
needed for the creation of some arrays trusting the number of elements
passed by the client.

The resulting memory corruptions (like direct registry calls, memory
locations calls, writing of data in arbitrary locations and so on)
allow code execution.

Fields in the packet:
    32      malloc(x * 4)

Vulnerable code:
  0044B2E9  |.  8B17          MOV EDX,DWORD PTR DS:[EDI]    ; get 32bit
  0044B2EB  |.  C1E2 02       SHL EDX,2                     ; * 4
  0044B2EE  |.  52            PUSH EDX
  0044B2EF  |.  8947 08       MOV DWORD PTR DS:[EDI+8],EAX
  0044B2F2  |.  E8 C1BE0500   CALL <JMP.&MFC71U.#265>       ; malloc
  0044B2F7  |.  8947 0C       MOV DWORD PTR DS:[EDI+C],EAX
  0044B2FA  |.  8B07          MOV EAX,DWORD PTR DS:[EDI]
  0044B2FC  |.  C1E0 02       SHL EAX,2                     ; * 4
  0044B2FF  |.  50            PUSH EAX
  0044B300  |.  E8 B3BE0500   CALL <JMP.&MFC71U.#265>       ; malloc
  0044B305  |.  8B0F          MOV ECX,DWORD PTR DS:[EDI]
  0044B307  |.  C1E1 03       SHL ECX,3                     ; * 8
  0044B30A  |.  51            PUSH ECX
  0044B30B  |.  8947 10       MOV DWORD PTR DS:[EDI+10],EAX
  0044B30E  |.  E8 A5BE0500   CALL <JMP.&MFC71U.#265>       ; malloc
  0044B313  |.  8B17          MOV EDX,DWORD PTR DS:[EDI]
  0044B315  |.  C1E2 02       SHL EDX,2                     ; * 4
  0044B318  |.  52            PUSH EDX
  0044B319  |.  8947 14       MOV DWORD PTR DS:[EDI+14],EAX
  0044B31C  |.  E8 97BE0500   CALL <JMP.&MFC71U.#265>       ; malloc


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/genesis_iof.zip

  genesis_iof 4 SERVER


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
