Pages

7T IGSS Stack Overflows Vulnerability

Vulnerability

Multiple vulnerabilities have been identified in 7T Interactive Graphical SCADA System (IGSS), which could be exploited by remote attackers to disclose or manipulate data, cause a denial of service or take complete control of a vulnerable system. These issues are caused by input and access validation errors, and buffer overflows in the “IGSSdataServer.exe” and “dc.exe” components when processing malformed data sent to ports 12401/TCP and 12397/TCP, which could be exploited by remote attackers to crash an affected component, download or upload arbitrary files, or execute arbitrary code on a vulnerable system.

IGSSdataServer.exe is a server running on port 12401 active when the project is started.

The opcode 0×7 is used for handling the RMS report templates and after the parsing of the “Rename” (0×2), “Delete” (0×3) and “Add” (0×4) commands it’s called the function 0040F910 that builds the string to place in RMS.DIC and that is vulnerable to a buffer overflow on a stack buffer of about 512 bytes:

0040F9FE |. 8D0432 |LEA EAX,DWORD PTR DS:[EDX+ESI]
0040FA01 |. 8D48 6A |LEA ECX,DWORD PTR DS:[EAX+6A]
0040FA04 |. 51 |PUSH ECX
0040FA05 |. 8D50 2A |LEA EDX,DWORD PTR DS:[EAX+2A]
0040FA08 |. 52 |PUSH EDX
0040FA09 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1]
0040FA0D |. 8D48 02 |LEA ECX,DWORD PTR DS:[EAX+2]
0040FA10 |. 51 |PUSH ECX
0040FA11 |. 52 |PUSH EDX
0040FA12 |. 8D8424 24020000 |LEA EAX,DWORD PTR SS:[ESP+224]
0040FA19 |. 68 E0A54300 |PUSH 0043A5E0 ; “%d,%s,%s,%s”
0040FA1E |. 50 |PUSH EAX
0040FA1F |. E8 460D0100 |CALL 0042076A ; sprintf

Affected Systems

  • All versions of IGSSdataServer.exe 9.00.00.11063 and older

Impact

An unauthenticated, remote attacker can exploit a stack overflow vulnerability to create a denial of service condition, execute arbitrary code on affected systems to gain remote control of the system, or cause it to crash.

Detection

Digital Bond has not released a Quickdraw IDS Signature for this vulnerability at this time.

Remediation

-Reported vulnerability only affects IGSS when being run without a firewall.
-A security patch has been released which is available through normal update procedures.

External Links

ICS−ALERT-11-080-03 MULTIPLE VULNERABILITIES IN 7-TECHNOLOGIES IGSS