Details of VAR-E-201109-0578

ID

VAR-E-201109-0578

CVE

cve_id:

CVE-2011-3489

Trust: 1.9

sources: BID: 49608 // EXPLOIT-DB: 17843 // EDBNET: 40364

EDB ID

17843

TITLE

Rockwell RSLogix 19 - Denial of Service - Windows dos Exploit

Trust: 0.6

sources: EXPLOIT-DB: 17843

DESCRIPTION

Rockwell RSLogix 19 - Denial of Service. CVE-2011-3489CVE-75569 . dos exploit for Windows platform

Trust: 0.6

sources: EXPLOIT-DB: 17843

AFFECTED PRODUCTS

vendor:	rockwell	model:	rslogix	scope:	eq	version:	19	Trust: 1.0
vendor:	rockwell	model:	rslogix	scope:	lte	version:	<=19	Trust: 0.6
vendor:	rockwall	model:	automation rslogix	scope:	eq	version:	500019	Trust: 0.3
vendor:	rockwall	model:	automation rslogix	scope:	eq	version:	500018	Trust: 0.3
vendor:	rockwall	model:	automation rslogix	scope:	eq	version:	500017	Trust: 0.3
vendor:	rockwall	model:	automation rslogix	scope:	eq	version:	50000	Trust: 0.3
vendor:	rockwall	model:	automation factorytalk cpr9-sr4	scope:	-	version:	-	Trust: 0.3
vendor:	rockwall	model:	automation factorytalk cpr9-sr3	scope:	-	version:	-	Trust: 0.3
vendor:	rockwall	model:	automation factorytalk cpr9-sr2	scope:	-	version:	-	Trust: 0.3
vendor:	rockwall	model:	automation factorytalk cpr9-sr1	scope:	-	version:	-	Trust: 0.3
vendor:	rockwall	model:	automation factorytalk cpr9	scope:	-	version:	-	Trust: 0.3
vendor:	rockwall	model:	automation factorytalk	scope:	eq	version:	0	Trust: 0.3

sources: BID: 49608 // EXPLOIT-DB: 17843 // EDBNET: 40364

EXPLOIT

#######################################################################

Luigi Auriemma

Application: Rockwell RSLogix
http://www.rockwellautomation.com/rockwellsoftware/design/rslogix5000/
Versions: <= 19 (RsvcHost.exe 2.30.0.23)
Platforms: Windows
Bug: Denial of Service
Exploitation: remote
Date: 13 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

From vendor's website:
"With RSLogix 5000 programming software, you need only one software
package for discrete, process, batch, motion, safety and drive-based
application."

#######################################################################

======
2) Bug
======

RsvcHost.exe and RNADiagReceiver.exe listen on ports 4446 and others.

These services use RnaUtility.dll which doesn't handle the 32bit size
field located in the "rna" packets with results like a memset zero
overflow and invalid read access.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/rslogix_1.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17843.zip

nc SERVER 4446 < rslogix_1a.dat
nc SERVER 4446 < rslogix_1b.dat

#######################################################################

======
4) Fix
======

No fix.

#######################################################################

Trust: 1.0

sources: EXPLOIT-DB: 17843

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 17843

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 17843

TYPE

Denial of Service

Trust: 1.6

sources: EXPLOIT-DB: 17843 // EDBNET: 40364

CREDITS

Luigi Auriemma

Trust: 0.6

sources: EXPLOIT-DB: 17843

EXTERNAL IDS

db:	NVD	id:	CVE-2011-3489	Trust: 1.9
db:	EXPLOIT-DB	id:	17843	Trust: 1.6
db:	EDBNET	id:	40364	Trust: 0.6
db:	ICS CERT ALERT	id:	ICS-ALERT-11-256-05A	Trust: 0.3
db:	ICS CERT	id:	ICSA-11-273-03	Trust: 0.3
db:	BID	id:	49608	Trust: 0.3

sources: BID: 49608 // EXPLOIT-DB: 17843 // EDBNET: 40364

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2011-3489	Trust: 1.6
url:	https://www.exploit-db.com/exploits/17843/	Trust: 0.6
url:	http://aluigi.org/poc/rslogix_1.zip	Trust: 0.3
url:	http://www.rockwellautomation.com/rockwellsoftware/design/rslogix5000/	Trust: 0.3
url:	http://aluigi.altervista.org/adv/rslogix_1-adv.txt	Trust: 0.3
url:	http://www.us-cert.gov/control_systems/pdf/icsa-11-273-03.pdf	Trust: 0.3
url:	http://rockwellautomation.custhelp.com/app/answers/detail/a_id/456144	Trust: 0.3
url:	http://www.us-cert.gov/control_systems/pdf/ics-alert-11-256-05a.pdf	Trust: 0.3

sources: BID: 49608 // EXPLOIT-DB: 17843 // EDBNET: 40364

SOURCES

db:	BID	id:	49608
db:	EXPLOIT-DB	id:	17843
db:	EDBNET	id:	40364

LAST UPDATE DATE

2022-07-27T09:27:49.759000+00:00

SOURCES UPDATE DATE

db:

BID

id:

49608

date:

2011-09-30T22:50:00

SOURCES RELEASE DATE

db:	BID	id:	49608	date:	2011-09-13T00:00:00
db:	EXPLOIT-DB	id:	17843	date:	2011-09-14T00:00:00
db:	EDBNET	id:	40364	date:	2011-09-14T00:00:00