Pages

Iconics GENESIS32/GENESIS64 Freeing of Arbitrary or Uninitialized Memory Vulnerability

Vulnerability

Multiple vulnerabilities have been identified in ICONICS GENESIS32 and GENESIS64, which could be exploited by remote attackers to cause a denial of service or take complete control of a vulnerable system. These issues are caused by memory corruptions and integer overflow errors in the “GenBroker” service when processing malformed requests sent to port 38080/TCP (opcodes 0xfa7, 0xfa4, 0xdb0, 0xdae, 0x89b, 0x89a, 0x7d0, 0x4b5, 0x4b2, 0x4b0, 0×455, 0×454, 0×453, 0×451, 0×450, 0x3f0, 0x26ac, 0x1c86, 0x1c84, 0x1c24, 0x1c20, 0x1bbd, 0x1bbc, 0×1394, 0×1393, 0×1392, 0×1391, 0×1390, and 0x138f), which could allow remote unauthenticated attackers to crash an affected service or execute arbitrary code with elevated privileges.

Multiple vulnerabilities have been reported that affect services on 38080/TCP:

• Multiple integer overflow (remotely exploitable)
• Double-free memory corruption (remotely exploitable)

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32 9.2.

The service is affected by multiple freeing of initialized memory pointers and arbitrary locations because:

- the functions that store the strings pointers read from the client automatically break the reading loop when the end of the packet is reached – these functions use malloc instead of calloc so the memory is not cleared

- the functions that free the arrays don’t know if and when the reading process stopped and so they call free() over all the elements specified by the attacker in his packet

The exploitability of these vulnerabilities depends by how the attacker has corrupted the memory for forcing the freeing of arbitrary locations through the sending of valid packets before the malformed one. The service is multi-thread so there are many chances of exploitation.

The following is the full list of vulnerable opcodes and the read/free functions to monitor (referred to version 9.2):

1) opcode 0x4b0:
read loop: 0044ACC0 and 0044AD04
free loop: 004446B0

2) opcode 0x4b2:
read loop: 0044B360
free loop: 004428F0

3) opcode 0x4b5:
read loop: 0044C560
free loop: 00443090

4) function 0044C6B0 used by opcodes 0xDAE and 0xDB0.
read loop: 0044c800
free loop: 00443160

5) opcodes 0x1BBC and 0x1BBD:
read loop: 0044ca90
free loop: 004432a0

Affected Systems

  • All versions of GENESIS32 9.21 and older
  • All versions of GENESIS64 10.51 and older

Impact

Freeing or deleting the same memory chunk twice may result in an application crash. It may also, when combined with other flaws on a system that does not perform heap-chunk checking, allow an attacker access to arbitrary memory.

Detection

Digital Bond has not released a Quickdraw IDS Signature for this vulnerability at this time.

Remediation

There is currently no fix available.

External Links

ICS−ALERT-11-080-02 MULTIPLE VULNERABILITIES IN ICONICS GENESIS (32 & 64)