RealWin < 2.1.10 Multiple Packet Type Processing Overflows

critical Nessus Plugin ID 50687

Synopsis

The remote Windows host contains an application that is prone to multiple buffer overflow attacks.

Description

The installed version of RealWin is earlier than 2.1.10 (2.1 Build 6.1.10.10) and thus reportedly affected by two stack-based overflow vulnerabilities involving the use of 'sprintf()' in the 'SCPC_INITIALIZE()' and 'SCPC_INITIALIZE_RF()' functions on one hand and 'strcpy()' in the 'SCPC_TXTEVENT()' function on the other.

Using a specially crafted sequence of packets to the HMI service, which listens on TCP port 912, an unauthenticated remote attacker who can connect to the server can leverage this issue to crash the affected service or to execute code on the affected host with SYSTEM-level privileges.

Solution

Upgrade to RealWin version 2.1.10 (2.1 Build 6.1.10.10).

See Also

http://aluigi.altervista.org/adv/realwin_1-adv.txt

Plugin Details

Severity: Critical

ID: 50687

File Name: realwin_2_1_10.nbin

Version: 1.51

Type: local

Family: SCADA

Published: 11/23/2010

Updated: 2/14/2022

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

Required KB Items: SCADA/Apps/RealFlex/RealWin/Installed

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/5/2010

Vulnerability Publication Date: 10/15/2010

Exploitable With

CANVAS (White_Phosphorus)

Core Impact

Metasploit (DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow)

Reference Information

CVE: CVE-2010-4142

BID: 44150

CERT: 222657

EDB-ID: 15259

ICSA: 10-313-01