Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities
Title: Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities
Advisory ID: ZSL-2016-5324
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 22.05.2016
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Microsoft Windows 7 Ultimate SP1 (EN) x86_64
[11.04.2016] Vendor contacted.
[21.05.2016] No response from the vendor.
[22.05.2016] Public security advisory released.
[2] https://www.exploit-db.com/exploits/39846/
[3] https://packetstormsecurity.com/files/137145
[4] http://www.vfocus.net/art/20160524/12702.html
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/113434
[23.05.2016] - Added reference [1], [2] and [3]
[25.05.2016] - Added reference [4]
[27.05.2016] - Added reference [5]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5324
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 22.05.2016
Summary
Enterprise Software Solution for Electrical Power Systems. ETAP is the most comprehensive electrical engineering software platform for the design, simulation, operation, and automation of generation, transmission, distribution, and industrial systems. As a fully integrated model-driven enterprise solution, ETAP extends from modeling to operation to offer a Real-Time Power Management System.Description
Multiple ETAP binaries are prone to a stack-based buffer overflow vulnerability because the application fails to handle malformed arguments. An attacker can exploit these issues to execute arbitrary code within the context of the application or to trigger a denial-of-service conditions.--------------------------------------------------------------------------------
STATUS_STACK_BUFFER_OVERRUN encountered
(380c.3cc4): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\system32\kernel32.dll -
*** WARNING: Unable to verify checksum for SO3Ph.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SO3Ph.exe -
kernel32!UnhandledExceptionFilter+0x71:
00000000`76fcb8c1 cc int 3
0:000> r
rax=0000000000000000 rbx=0000000000000000 rcx=000063dde1df0000
rdx=000000000000fffd rsi=0000000000000001 rdi=0000000000000002
rip=0000000076fcb8c1 rsp=00000000000fe780 rbp=ffffffffffffffff
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=00000000000fe310 r12=0000000140086150 r13=0000000000000000
r14=000000000012eb00 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
kernel32!UnhandledExceptionFilter+0x71:
00000000`76fcb8c1 cc int 3
--------------------------------------------------------------------------------
Vendor
Operation Technology, Inc. - http://www.etap.comAffected Version
14.1.0.0Tested On
Microsfot Windows 7 Professional SP1 (EN) x86_64Microsoft Windows 7 Ultimate SP1 (EN) x86_64
Vendor Status
[07.04.2016] Vulnerabilities discovered.[11.04.2016] Vendor contacted.
[21.05.2016] No response from the vendor.
[22.05.2016] Public security advisory released.
PoC
etap_bof.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2016050107[2] https://www.exploit-db.com/exploits/39846/
[3] https://packetstormsecurity.com/files/137145
[4] http://www.vfocus.net/art/20160524/12702.html
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/113434
Changelog
[22.05.2016] - Initial release[23.05.2016] - Added reference [1], [2] and [3]
[25.05.2016] - Added reference [4]
[27.05.2016] - Added reference [5]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk