WellinTech KingView 6.53 < 2011-11-20 HistoryServer.exe nettransdll.dll Module Op-code 3 Packet Parsing Remote Overflow

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains an application that is affected by a
remote buffer overflow vulnerability.

Description :

According to its version, the instance of WellinTech KingView
installed on the remote Windows host is affected by a remote buffer
overflow vulnerability. A flaw exists inside of 'nettransdll.dll'
that may permit unauthenticated, remote attackers to execute arbitrary
code in the context of the application. 'HistorySrv.exe' listens on
port 777. When a specially-crafted request is received requesting
service opcode 0x03, a buffer is allocated based on a size field in
the request. Once the buffer has been created, data from the packet
is copied into the buffer based on yet another size field. By making
the buffer size field smaller than the data size field, a heap
overflow can be accomplished.

See also :

http://www.zerodayinitiative.com/advisories/ZDI-11-351/
http://en.wellintech.com/products/detail.aspx?contentid=15
http://en.wellintech.com/news/detail.aspx?contentid=166

Solution :

Install the patch referenced in the vendor's advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: SCADA

Nessus Plugin ID: 59376 ()

Bugtraq ID: 51159

CVE ID: CVE-2011-4536