WellinTech KingView 6.53 < 2011-11-20 HistoryServer.exe nettransdll.dll Module Op-code 3 Packet Parsing Remote Overflow

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains an application that is affected by a
remote buffer overflow vulnerability.

Description :

According to its version, the instance of WellinTech KingView
installed on the remote Windows host is affected by a remote buffer
overflow vulnerability. A flaw exists inside of 'nettransdll.dll' that
may permit unauthenticated, remote attackers to execute arbitrary code
in the context of the application. 'HistorySrv.exe' listens on port
777. When a specially-crafted request is received requesting service
opcode 0x03, a buffer is allocated based on a size field in the
request. Once the buffer has been created, data from the packet is
copied into the buffer based on yet another size field. By making the
buffer size field smaller than the data size field, a heap overflow
can be accomplished.

See also :

http://www.zerodayinitiative.com/advisories/ZDI-11-351/
http://en.wellintech.com/products/detail.aspx?contentid=15
http://en.wellintech.com/news/detail.aspx?contentid=166

Solution :

Install the patch referenced in the vendor's advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: SCADA

Nessus Plugin ID: 59376 ()

Bugtraq ID: 51159

CVE ID: CVE-2011-4536