Synopsis
Tenable found an integer overflow vulnerability in Schneider Electric IGSS Data Server (IGSSdataServer.exe) v15.0.0.22052.
An integer Overflow condition exists when IGSSdataServer.exe appends an incoming ALMNOTE request to a heap-based buffer that already contains a request. The issue results from the lack of proper validation of user-supplied data before performing memory allocation. An unauthenticated remote attacker can exploit this, via multiple specially crafted messages, to cause heap-based buffer overflow, leading to denial of service and potentially remote code execution.
The following code snippet shows the vulnerability:
<..snip...>
.text:0049D5C9 write_note: ; CODE XREF: FetchControl_ALMNOTE__appendRequest+22↑j
.text:0049D5C9 mov eax, [ebp+almnote_ctx]
.text:0049D5CC mov ecx, [eax+ALMNOTE_CTX.cbData]
.text:0049D5CF mov edx, [ebp+pbMsgBody]
.text:0049D5D2 add ecx, [edx+ALMNOTE_MSG.cbData] ; attacker-controlled size
.text:0049D5D2 ; int32 overflow -> small heap buf allocated
.text:0049D5D5 push ecx
.text:0049D5D6 mov eax, [ebp+almnote_ctx]
.text:0049D5D9 mov ecx, [eax+ALMNOTE_CTX.pbInData]
.text:0049D5DC push ecx
.text:0049D5DD call ds:realloc
.text:0049D5E3 add esp, 8
.text:0049D5E6 mov edx, [ebp+almnote_ctx]
.text:0049D5E9 mov [edx+ALMNOTE_CTX.pbInData], eax
.text:0049D5EC mov eax, [ebp+almnote_ctx]
.text:0049D5EF cmp [eax+ALMNOTE_CTX.pbInData], 0
.text:0049D5F3 jz short loc_49D630
.text:0049D5F5 mov ecx, [ebp+pbMsgBody]
.text:0049D5F8 mov edx, [ecx+ALMNOTE_MSG.cbData]
.text:0049D5FB push edx ; attacker-controlled large size
.text:0049D5FC mov eax, [ebp+pbMsgBody]
.text:0049D5FF add eax, ALMNOTE_MSG.data
.text:0049D602 push eax
.text:0049D603 mov ecx, [ebp+almnote_ctx]
.text:0049D606 mov edx, [ecx+ALMNOTE_CTX.pbInData] ; small heap buffer allocated
.text:0049D609 mov eax, [ebp+almnote_ctx]
.text:0049D60C add edx, [eax+ALMNOTE_CTX.cbData]
.text:0049D60F push edx
.text:0049D610 copy large amount of data to a small
.text:0049D610 heap buffer -> buffer overflow
.text:0049D610 call memcpy
<...snip...>
POC:
python3 igss_dataserver_opcode_14_int32_overflow.py -t <target> -p 12401
python3 igss_dataserver_opcode_14_int32_overflow.py -t <target> -p 12401
python3 igss_dataserver_opcode_14_int32_overflow.py -t <target> -p 12401
Traceback (most recent call last):
File "/work/0day/igss_dataserver_opcode_14_int32_overflow.py", line 45, in <module>
s.connect((target, port))
ConnectionRefusedError: [Errno 111] Connection refused
Solution
Update to IGSS Data Server 15.0.0.22074 or higherProof of Concept
Additional References
https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-102-01_IGSS_Security_Notification_V2.0.pdfDisclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team