Crouzet em4 soft 1.1.04 Integer Division By Zero

Title: Crouzet em4 soft 1.1.04 Integer Division By Zero
Advisory ID: ZSL-2016-5309
Type: Local/Remote
Impact: DoS
Risk: (1/5)
Release Date: 29.02.2016
Summary
em4 is more than just a nano-PLC. It is a leading edge device supported by best-in-class tools that enables you to create and implement the smartest automation applications.
Description
em4 soft suffers from a division by zero attack when handling Crouzet Logic Software Document '.pm4' files, resulting in denial of service vulnerability and possibly loss of data.

--------------------------------------------------------------------------------

(187c.1534): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image013b0000
*** ERROR: Module load completed but symbols could not be loaded for image013b0000
eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18
eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
image013b0000+0x3a575:
013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000
0:000> u
image013b0000+0x3a575:
013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h]
013ea57b 8d4de0 lea ecx,[ebp-20h]
013ea57e c745fc00000000 mov dword ptr [ebp-4],0
013ea585 50 push eax
013ea586 6808505b01 push offset image013b0000+0x205008 (015b5008)
013ea58b 51 push ecx
013ea58c ff15b0575a01 call dword ptr [image013b0000+0x1f57b0 (015a57b0)]
013ea592 8b870c010000 mov eax,dword ptr [edi+10Ch]

--------------------------------------------------------------------------------

Vendor
Crouzet Automatismes SAS - http://www.crouzet-automation.com
Affected Version
1.1.04 and 1.1.03.01
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[25.01.2016] Vulnerability discovered.
[03.02.2016] Vendor contacted.
[28.02.2016] No response from the vendor.
[29.02.2016] Public security advisory released.
PoC
crouzet_em4_dividezero.txt
poc5309.pm4.zip
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://cxsecurity.com/issue/WLB-2016030013
[2] https://packetstormsecurity.com/files/136020
[3] https://www.exploit-db.com/exploits/39509/
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/111163
Changelog
[29.02.2016] - Initial release
[01.03.2016] - Added reference [1], [2] and [3]
[03.03.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk