ID
VAR-E-201109-0336
CVE
| cve_id: | CVE-2011-3491 | Trust: 1.9 |
| cve_id: | CVE-2011-3499 | Trust: 1.3 |
| cve_id: | CVE-2011-3498 | Trust: 1.3 |
EDB ID
17842
TITLE
progea movicon / powerhmi 11.2.1085 - Multiple Vulnerabilities - Windows dos Exploit
Trust: 0.6
DESCRIPTION
progea movicon / powerhmi 11.2.1085 - Multiple Vulnerabilities. CVE-2011-3499CVE-2011-3498CVE-2011-3491CVE-75494CVE-75493CVE-75492CVE-75491 . dos exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | progea | model: | movicon powerhmi | scope: | eq | version: | /11.2.1085 | Trust: 1.0 |
| vendor: | progea | model: | movicon powerhmi | scope: | eq | version: | /<=11.2.1085 | Trust: 0.6 |
| vendor: | progea | model: | movicon powerhmi | scope: | eq | version: | 11.2.1085 | Trust: 0.3 |
| vendor: | progea | model: | movicon | scope: | eq | version: | 11.2.1085.4 | Trust: 0.3 |
| vendor: | progea | model: | movicon | scope: | eq | version: | 11.2.1085.3 | Trust: 0.3 |
| vendor: | progea | model: | movicon build | scope: | eq | version: | 11.21085 | Trust: 0.3 |
| vendor: | progea | model: | movicon build | scope: | eq | version: | 11.21084 | Trust: 0.3 |
| vendor: | progea | model: | movicon | scope: | eq | version: | 11.2 | Trust: 0.3 |
EXPLOIT
#######################################################################
Luigi Auriemma
Application: Progea Movicon / PowerHMI
http://www.progea.com
Versions: <= 11.2.1085
Platforms: Windows
Bug: memory corruption
Exploitation: remote
Date: 13 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Movicon is an italian SCADA/HMI software.
#######################################################################
======
2-1) Bug
======
When the software runs a project it listens on port 808 for accepting
some HTTP requests.
The server is affected by a heap overflow caused by the usage of a
negative Content-Length field which allows to corrupt the memory
through "memcpy(heap_buffer, input, content_length_size)".
#######################################################################
===========
3-1) The Code
===========
http://aluigi.org/poc/movicon_1.dat
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17842-1.dat
nc SERVER 808 < movicon_1.dat
#######################################################################
======
2-2) Bug
======
When the software runs a project it listens on port 808 for accepting
some HTTP requests.
The server is affected by a heap overflow caused by the usage of a
buffer of 8192 bytes for containing the incoming HTTP requests.
#######################################################################
===========
3-2) The Code
===========
http://aluigi.org/testz/udpsz.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17842-2.dat
udpsz -T -b 0x61 SERVER 808 10000
#######################################################################
======
2-3) Bug
======
When the software runs a project it listens on port 808 for accepting
some HTTP requests and on port 12233 for a particular "EIDP" protocol.
Through a too big size field in the "EIDP" packets tunnelled via the
web service (doesn't seem possible to exploit the bug via the original
port) it's possible to write a 0x00 byte in an arbitrary memory zone
higher than 0x7fffffff:
00a29001 c6041100 mov byte ptr [ecx+edx],0 ds:0023:80616161=??
This limitation could make the bug interesting only in some 64bit
environments.
#######################################################################
===========
3-3) The Code
===========
http://aluigi.org/poc/movicon_3.dat
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17842-3.dat
nc SERVER 808 < movicon_3.dat
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Multiple Vulnerabilities
Trust: 1.6
CREDITS
Luigi Auriemma
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2011-3491 | Trust: 1.9 |
| db: | EXPLOIT-DB | id: | 17842 | Trust: 1.6 |
| db: | NVD | id: | CVE-2011-3499 | Trust: 1.3 |
| db: | NVD | id: | CVE-2011-3498 | Trust: 1.3 |
| db: | EDBNET | id: | 40363 | Trust: 0.6 |
| db: | ICS CERT | id: | ICSA-11-294-01 | Trust: 0.3 |
| db: | BID | id: | 49605 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-3491 | Trust: 1.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-3499 | Trust: 1.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-3498 | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/17842/ | Trust: 0.6 |
| url: | http://www.progea.com/ | Trust: 0.3 |
| url: | http://aluigi.altervista.org/adv/movicon_1-adv.txt | Trust: 0.3 |
| url: | http://aluigi.altervista.org/adv/movicon_2-adv.txt | Trust: 0.3 |
| url: | http://www.us-cert.gov/control_systems/pdf/icsa-11-294-01.pdf | Trust: 0.3 |
| url: | http://aluigi.altervista.org/adv/movicon_3-adv.txt | Trust: 0.3 |
SOURCES
| db: | BID | id: | 49605 |
| db: | EXPLOIT-DB | id: | 17842 |
| db: | EDBNET | id: | 40363 |
LAST UPDATE DATE
2022-07-27T09:50:04.419000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 49605 | date: | 2011-10-21T16:01:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 49605 | date: | 2011-09-13T00:00:00 |
| db: | EXPLOIT-DB | id: | 17842 | date: | 2011-09-14T00:00:00 |
| db: | EDBNET | id: | 40363 | date: | 2011-09-14T00:00:00 |