Automated Solutions Modbus Slave MiniHMI.exe ActiveX Modbus/TCP Diagnostic Function Arbitrary Code Execution

This script is Copyright (C) 2007-2014 Tenable Network Security, Inc.


Synopsis :

The remote Windows host has an ActiveX control that is affected by a
buffer overflow vulnerability.

Description :

The remote host contains the Automated Solutions Modbus TCP Slave
ActiveX control, which allows a PC to emulate a Modbus Serial and / or
TCP slave device.

The version of this control installed on the remote host reportedly
contains a buffer overflow issue with the Modbus/TCP Diagnostic
function (FC8). Using specially-crafted Modbus requests. An
unauthenticated remote attacker may be able to leverage this issue to
execute arbitrary code remotely subject to the privileges of the user
running the MiniHMI.exe program.

See also :

http://dvlabs.tippingpoint.com/advisory/TPTI-07-15
http://archives.neohapsis.com/archives/fulldisclosure/2007-09/0330.html
http://www.automatedsolutions.com/pub/asmbslv/ReadMe.htm

Solution :

Upgrade to version Automated Solutions Modbus Slave ActiveX Control
version 1.5 or later.

Risk factor :

High / CVSS Base Score : 7.6
(CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.6
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: SCADA

Nessus Plugin ID: 26066 ()

Bugtraq ID: 25713

CVE ID: CVE-2007-4827