Multiple vulnerabilities have been identified in 7T Interactive Graphical SCADA System (IGSS), which could be exploited by remote attackers to disclose or manipulate data, cause a denial of service or take complete control of a vulnerable system. These issues are caused by input and access validation errors, and buffer overflows in the “IGSSdataServer.exe” and “dc.exe” components when processing malformed data sent to ports 12401/TCP and 12397/TCP, which could be exploited by remote attackers to crash an affected component, download or upload arbitrary files, or execute arbitrary code on a vulnerable system.
IGSSdataServer.exe is a server running on port 12401 active when the project is started.
The opcode 0×7 is used for handling the RMS report templates and after the parsing of the “Rename” (0×2), “Delete” (0×3) and “Add” (0×4) commands it’s called the function 0040F910 that builds the string to place in RMS.DIC and that is vulnerable to a buffer overflow on a stack buffer of about 512 bytes:
0040F9FE |. 8D0432 |LEA EAX,DWORD PTR DS:[EDX+ESI]
0040FA01 |. 8D48 6A |LEA ECX,DWORD PTR DS:[EAX+6A]
0040FA04 |. 51 |PUSH ECX
0040FA05 |. 8D50 2A |LEA EDX,DWORD PTR DS:[EAX+2A]
0040FA08 |. 52 |PUSH EDX
0040FA09 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1]
0040FA0D |. 8D48 02 |LEA ECX,DWORD PTR DS:[EAX+2]
0040FA10 |. 51 |PUSH ECX
0040FA11 |. 52 |PUSH EDX
0040FA12 |. 8D8424 24020000 |LEA EAX,DWORD PTR SS:[ESP+224]
0040FA19 |. 68 E0A54300 |PUSH 0043A5E0 ; “%d,%s,%s,%s”
0040FA1E |. 50 |PUSH EAX
0040FA1F |. E8 460D0100 |CALL 0042076A ; sprintf
- All versions of IGSSdataServer.exe 9.00.00.11063 and older
An unauthenticated, remote attacker can exploit a stack overflow vulnerability to create a denial of service condition, execute arbitrary code on affected systems to gain remote control of the system, or cause it to crash.
Digital Bond has not released a Quickdraw IDS Signature for this vulnerability at this time.
-Reported vulnerability only affects IGSS when being run without a firewall.
-A security patch has been released which is available through normal update procedures.