Schneider Electric IGSS Data Server Multiple Vulnerabilities

Tenable found multiple vulnerabilities in Schneider Electric IGSS data server (IGSSdataServer.exe) v15.0.0.21286.

1) Integer Overflow

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An integer overflow condition exists when IGSSdataServer.exe appends an incoming request to a heap-based buffer that already contains a request. The issue results from the lack of proper validation of user-supplied data before performing memory allocation. An unauthenticated remote attacker can exploit this, via multiple specially crafted messages, to cause heap-based buffer overflow, leading to denial of service and potentially remote code execution.

The following code snippet shows the vulnerability:

<..snip...>
.text:0049FA86  mov     ecx, [eax+FILES.curDataSize] ; attacker-controlled
.text:0049FA89  mov     edx, [ebp+pbMsgBody]
.text:0049FA8C  add     ecx, [edx+FILES_MSG_BODY.cbData] ; attacker-controlled
.text:0049FA8C                               ; int32 overflow -> small heap buf allocated
.text:0049FA92  push    ecx
.text:0049FA93  mov     eax, [ebp+obj]
.text:0049FA96  mov     ecx, [eax+FILES.pbData]
.text:0049FA99  push    ecx
.text:0049FA9A  call    ds:realloc
.text:0049FAA0  add     esp, 8
.text:0049FAA3  mov     edx, [ebp+obj]
.text:0049FAA6  mov     [edx+FILES.pbData], eax
.text:0049FAA9  mov     eax, [ebp+obj]
.text:0049FAAC  cmp     [eax+FILES.pbData], 0
.text:0049FAB0  jz      short loc_49FAF5
.text:0049FAB2  mov     ecx, [ebp+pbMsgBody]
.text:0049FAB5  mov     edx, [ecx+FILES_MSG_BODY.cbData]
.text:0049FABB  push    edx
.text:0049FABC  mov     eax, [ebp+pbMsgBody]
.text:0049FABF  add     eax, FILES_MSG_BODY.data
.text:0049FAC4  push    eax
.text:0049FAC5  mov     ecx, [ebp+obj]
.text:0049FAC8  mov     edx, [ecx+FILES.pbData]
.text:0049FACB  mov     eax, [ebp+obj]
.text:0049FACE  add     edx, [eax+FILES.curDataSize]
.text:0049FAD1  push    edx
.text:0049FAD2 copy large amount of data to the small
.text:0049FAD2 heap buffer -> buffer overflow
.text:0049FAD2  call    memcpy
<...snip...>

POC:

python3 igss_dataserver_int32_overflow.py -t <target> -p 12401
python3 igss_dataserver_int32_overflow.py -t <target> -p 12401
Traceback (most recent call last):
File "/work/0day/igss_dataserver_int32_overflow.py", line 42, in <module>
s.connect((target, port))
ConnectionRefusedError: [Errno 111] Connection refused

2) Heap-based Buffer Over-read Memory Leak DoS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

There are multiple paths where an unauthenticated remote attacker can force IGSSdataServer.exe to allocate a large amount of memory to store attacker-controlled data. The attacker can supply a small amount of data to cause a buffer over-read condition that would generate a memory read access violation, which is handled by an exception handler implemented in IGSSdataServer.exe. However, the exception handler does not release the memory allocated by the attacker.

The attacker can repeatedly send a specially crafted message to IGSSdataServer.exe to exhaust its memory, potentially resulting in denial of service.

POC:

• Run: python3 igss_dataserver_memleak.py -t <target> -p 12401
• Watch: Data Server memory usage in IGSS Master -> Runtime and Diagnostics -> Detailed Status
• Look for server log entry: FetchControl_FILES::appendRequest. Out of memory