RealWin < 2.1.10 Multiple Packet Type Processing Overflows

critical Nessus Plugin ID 50687


The remote Windows host contains an application that is prone to multiple buffer overflow attacks.


The installed version of RealWin is earlier than 2.1.10 (2.1 Build and thus reportedly affected by two stack-based overflow vulnerabilities involving the use of 'sprintf()' in the 'SCPC_INITIALIZE()' and 'SCPC_INITIALIZE_RF()' functions on one hand and 'strcpy()' in the 'SCPC_TXTEVENT()' function on the other.

Using a specially crafted sequence of packets to the HMI service, which listens on TCP port 912, an unauthenticated remote attacker who can connect to the server can leverage this issue to crash the affected service or to execute code on the affected host with SYSTEM-level privileges.


Upgrade to RealWin version 2.1.10 (2.1 Build

See Also

Plugin Details

Severity: Critical

ID: 50687

File Name: realwin_2_1_10.nbin

Version: 1.51

Type: local

Family: SCADA

Published: 11/23/2010

Updated: 2/14/2022

Risk Information


Risk Factor: High

Score: 7.4


Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

Required KB Items: SCADA/Apps/RealFlex/RealWin/Installed

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/5/2010

Vulnerability Publication Date: 10/15/2010

Exploitable With

CANVAS (White_Phosphorus)

Core Impact

Metasploit (DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow)

Reference Information

CVE: CVE-2010-4142

BID: 44150

CERT: 222657

EDB-ID: 15259

ICSA: 10-313-01