Pages

Iconics GENESIS32/GENESIS64 Integer Overflow Vulnerability One

Vulnerability

Multiple vulnerabilities have been identified in ICONICS GENESIS32 and GENESIS64, which could be exploited by remote attackers to cause a denial of service or take complete control of a vulnerable system. These issues are caused by memory corruptions and integer overflow errors in the “GenBroker” service when processing malformed requests sent to port 38080/TCP (opcodes 0xfa7, 0xfa4, 0xdb0, 0xdae, 0x89b, 0x89a, 0x7d0, 0x4b5, 0x4b2, 0x4b0, 0×455, 0×454, 0×453, 0×451, 0×450, 0x3f0, 0x26ac, 0x1c86, 0x1c84, 0x1c24, 0x1c20, 0x1bbd, 0x1bbc, 0×1394, 0×1393, 0×1392, 0×1391, 0×1390, and 0x138f), which could allow remote unauthenticated attackers to crash an affected service or execute arbitrary code with elevated privileges.

Multiple vulnerabilities have been reported that affect services on 38080/TCP:

• Multiple integer overflow (remotely exploitable)
• Double-free memory corruption (remotely exploitable)

GenBroker is a Windows service running on port 38080.

The addresses and code snippets reported here are referred to GENESIS32 9.2.

The service is affected by an integer overflow vulnerability during the handling of the opcodes 3f0, 138F,1390,1391,1392,1393, 1394, 1C86, 89a,89b, 450,451,454,455, 1C20,1C24 that make use of the function 0044d1c0.

The problem is caused by the allocation of the memory needed for the creation of an array trusting the number of elements passed by the client.

The resulting memory corruptions (like direct registry calls, memory locations calls, writing of data in arbitrary locations and so on) allow code execution.

Fields in the packet: the format of the packets depend by the relative opcodes, the function 0044d1c0 reads a 32bit before the one used for the allocation.

Vulnerable code:
0044D2A2 |. E8 C99EFCFF CALL 00417170 ; get 32bit
0044D2A7 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
0044D2AB |. 50 PUSH EAX
0044D2AC |. 8BCE MOV ECX,ESI
0044D2AE |. E8 BD9EFCFF CALL 00417170
0044D2B3 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0044D2B7 |. 8D14CD 000000>LEA EDX,DWORD PTR DS:[ECX*8] ; * 8
0044D2BE |. 52 PUSH EDX
0044D2BF |. E8 F49E0500 CALL ; malloc

Affected Systems

  • All versions of GENESIS32 9.21 and older
  • All versions of GENESIS64 10.51 and older

Impact

An attacker can exploit Integer overflows to cause undefined behavior, crashes, or to execute arbitrary code and take control of a vulnerable system. Integer overflows can also result in a buffer overflow condition in which data corruption will most likely take place.

Detection

Digital Bond has not released a Quickdraw IDS Signature for this vulnerability at this time.

Remediation

There is currently no fix available.

External Links

ICS−ALERT-11-080-02 MULTIPLE VULNERABILITIES IN ICONICS GENESIS (32 & 64)