IDS Signature for DATAC RealWin SCADA Sever Exploit

This vulnerability was made public a few days ago now, and we’ve put together a signature to detect it.  This is another very simple stack based overflow, seeing far too many of these in SCADA software; I hope vendors have already started doing some internal code audits to find these with the increased exposure the last few months; they aren’t going to be secure overnight but a lot of the low hanging fruit like this can be knocked out quickly with automated tools and a couple developers that understand the output.

Exploit scripts for this have been uploaded to the metasploit repository so the tools for an attacker are out there, and 910/tcp is an uncommon port, so if you see any activity on this signature there is a very good chance its a legitimate attack.

alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:”RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow”; content:”|10 23 54 67|”; depth:4; byte_test:4,>,739,0,little,relative; flow:established,to_server; sid:1111603; rev:1; priority:1;)

Further information and links are avaliable on the SCADApedia page.  Please let us know of any false positives/false negatives that you find in these, and we’ll keep the signatures updated with that information.

1 comment to IDS Signature for DATAC RealWin SCADA Sever Exploit

  • christopher.jager

    Daniel/Dale/etc.,

    I know there are many asset owners out here that are thankful for your efforts in releasing these signatures.

    Keep ‘em coming.

Leave a Reply