Executive Summary

Summary
Title RealFlex RealWin HMI service buffer overflows
Informations
Name VU#222657 First vendor Publication 2010-11-19
Vendor VU-CERT Last vendor Modification 2010-11-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#222657

RealFlex RealWin HMI service buffer overflows

Overview

RealFlex RealWin 1.06 HMI service (912/tcp) contains two stack buffer overflow vulnerabilities.

I. Description

RealFlex RealWin is a SCADA server package for medium and small applications designed to control and monitor real-time applications. The RealWin application runs an HMI service on port 912/tcp. This service is vulnerable to two stack-based buffer overflows. One vulnerability is caused by the use of sprintf() in the SCPC_INITIALIZE() and SCPC_INITIALIZE_RF() functions. The second vulnerability is caused by the use of strcpy() in the SCPC_TXTEVENT() function.

Further information is available in ICS_CERT Advisory ICSA-10-313-01

II. Impact

An attacker may be able to cause a denial of service or potentially execute arbitrary code with the privileges of the service account on to the target machine. If the service account has administrative privileges, the attacker could take complete control of a vulnerable system.

III. Solution

Upgrade to RealWin 2.1.10 (2.1 Build 6.1.10.10).

Vendor Information

VendorStatusDate NotifiedDate Updated
RealFlex Technologies Ltd.Affected2010-10-292010-11-12

References

http://www.us-cert.gov/control_systems/pdf/ICSA-10-313-01.pdf
http://aluigi.altervista.org/adv/realwin_1-adv.txt
http://www.exploit-db.com/exploits/15337/
http://www.realflex.com/products/realwin/realwin.php
http://cs.realflex.com/cs/index.ssp
https://www.metasploit.com/redmine/projects/framework/repository/revisions/11067/entry/modules/exploits/windows/scada/realwin_10.rb

Credit

Luigi Auriemma publicly reported this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2010-10-27
Date First Published:2010-11-19
Date Last Updated:2010-11-23
CERT Advisory: 
CVE-ID(s):CVE-2010-4142
NVD-ID(s):CVE-2010-4142
US-CERT Technical Alerts: 
Severity Metric:12.07
Document Revision:22

Original Source

Url : http://www.kb.cert.org/vuls/id/222657

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2

SAINT Exploits

Description Link
DATAC RealWin SCADA Server SCPC_INITIALIZE buffer overflow More info here

OpenVAS Exploits

Date Description
2010-11-02 Name : RealWin SCADA System Buffer Overflow Vulnerabilities
File : nvt/gb_realwin_scada_bof_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
68812 DATAC RealWin Multiple Packet Type Processing Overflow

RealWin is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted 'SCPC_INITIALIZE', 'SCPC_INITIALIZE_RF' or 'SCPC_TXTEVENT' packet, a remote attacker can potentially execute arbitrary code.

Snort® IPS/IDS

Date Description
2014-01-10 RealWin 2.1 SCPC_INITIALIZE overflow attempt
RuleID : 18659 - Revision : 9 - Type : PROTOCOL-SCADA
2014-01-10 RealWin SPC_TXTEVENT oversized packet buffer overflow
RuleID : 18290 - Revision : 2 - Type : SCADA
2014-01-10 RealWin SPC_INITIALIZE_RF oversized packet buffer overflow
RuleID : 18289 - Revision : 2 - Type : SCADA
2014-01-10 RealWin SPC_INITIALIZE oversized packet buffer overflow
RuleID : 18288 - Revision : 2 - Type : SCADA