[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Siemens Tecnomatix FactoryLink 8.0.1.1473 Multiple Vulnerabilities
# Published : 2011-03-22
# Author : Luigi Auriemma
# Previous Title : ACTi ASOC 2200 Web Configurator <= v2.6 Remote Root Command Execution
# Next Title : RealNetworks RealPlayer CDDA URI Initialization Vulnerability


				 				
Sources:http://aluigi.org/adv/factorylink_1-adv.txthttp://aluigi.org/adv/factorylink_2-adv.txthttp://aluigi.org/adv/factorylink_3-adv.txthttp://aluigi.org/adv/factorylink_4-adv.txthttp://aluigi.org/adv/factorylink_5-adv.txthttp://aluigi.org/adv/factorylink_6-adv.txtAdvisory Archive: http://www.exploit-db.com/sploits/siemens_factory_link_adv.tar.gzPoC Archive: http://www.exploit-db.com/sploits/siemens_factory_link_poc.tar.gz#######################################################################                             Luigi AuriemmaApplication:  Siemens Tecnomatix FactoryLink              http://www.usdata.com/sea/FactoryLink/en/p_nav1.html              http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtmlVersions:     <= 8.0.1.1473Date:         21 Mar 2011 (found 02 Jan 2011)Author:       Luigi Auriemma              e-mail: aluigi@autistici.org              web:    aluigi.org#######################################################################===============Introduction===============From vendor's website:"Siemens FactoryLink monitors, supervises, and controls industrialprocesses by enabling customers to perfect their processes andproducts. Built on an advanced open architecture, FactoryLink deliversthe highest performance and flexibility to customers building verticalapplications in a wide range of industries.Highly scaleable, FactoryLink can be used to build virtually any sizeapplication, from the simplest Human-Machine Interface (HMI) systems tothe most complex and demanding Supervisory Control and Data Acquisition(SCADA) systems."Remote Stack Overflow:======Bug======CSService is a Windows service listening on port 7580.The logging function is vulnerable to a buffer-overflow caused by theusage of vsprintf with a stack buffer of 1024 bytes.The vulnerability can be exploited from remote in various ways like thepassing of a big path or filter string in the file related operations(opcodes 6, 8 and 10).===========The Code===========http://aluigi.org/poc/factorylink_x.ziphttp://www.exploit-db.com/sploits/factorylink_x.zip  factorylink_x 3 SERVER#######################################################################Arbitrary Files Reading and Listing:======Bug======CSService is a Windows service listening on port 7580.All the file operations used by the service (opcodes 6, 8 and 10) allowto specify arbitrary files and directories (absolute paths) and it'spossible for an attacker to download any remote file on the server.Obviously it's possible also to specify directory traversal paths.#######################################################################===========The Code===========http://aluigi.org/poc/factorylink_x.ziphttp://www.exploit-db.com/sploits/factorylink_x.zipfor downloading c:/boot.ini  factorylink_x 4 SERVERfor viewing the list of files in c:/  factorylink_x 5 SERVER#######################################################################Remote Memory Corruption:======Bug======vrn.exe is a server listening on port 7579 when a project is started.There is a particular function used to parse the text fields located inthe strings of the opcode 10.It copies the string delimited by a ';' or a space in the stack bufferprovided by the callee function causing a stack overflow that allows acertain control on the code flow (for example the changing of the lower8bit of the return address or another exception).#######################################################################===========The Code===========http://aluigi.org/poc/factorylink_3.ziphttp://www.exploit-db.com/sploits/factorylink_3.zip  nc SERVER 7579 < factorylink_3.dat#######################################################################Remote Stack Overflow:======Bug======vrn.exe is a server listening on port 7579 when a project is started.There is a particular function used to parse the text fields located inthe strings of the opcode 9.It copies the string delimited by a ';' or a space in the stack bufferprovided by the callee function causing a classical stack overflow.#######################################################################===========The Code===========http://aluigi.org/poc/factorylink_4.ziphttp://www.exploit-db.com/sploits/factorylink_4.zip  nc SERVER 7579 < factorylink_4.dat#######################################################################Arbitrary File Download:======Bug======vrn.exe is a server listening on port 7579 when a project is started.The opcode 8 can be used to download any arbitrary file on the systemby specifiying the full path (UNC too) or directory traversal.#######################################################################===========The Code===========http://aluigi.org/poc/factorylink_5.ziphttp://www.exploit-db.com/sploits/factorylink_5.zipdownload c:/boot.ini  nc SERVER 7579 < factorylink_5.dat#######################################################################======Bug======CSService, connsrv and datasrv are various Windows services.All these services are vulneable to some Denial of Servicevulnerabilities that allow to crash them due to NULL pointerdereferences, stack exaustions and raised exceptions.#######################################################################===========The Code===========http://aluigi.org/poc/factorylink_x.ziphttp://www.exploit-db.com/sploits/factorylink_x.zip  factorylink_x 1 SERVER  factorylink_x 2 SERVER  factorylink_x 6 SERVER  factorylink_x 7 SERVER#######################################################################======Fix======No fix.#######################################################################