BugTraq
[NB07-07] Multiple vulnerabilities in Takebishi Electric DeviceXplorer HIDIC OPC server Mar 22 2007 05:32PM
Lluis Mora (llmora neutralbit com)

Multiple vulnerabilities in Takebishi Electric DeviceXplorer HIDIC OPC
server
========================================================================
====
=

OPC servers provide a standard way to interoperate automation and control
systems, bridging data from several industrial protocols such as DNP3,
MODBUS, etc. to a more standard data access interface. They are often used
in SCADA systems to consolidate network device information in a single
point; as such OPC servers are usually considered critical applications.

Takebishi Electric commercialises an OPC Server ("Takebishi.Hidic.1"), more
information is available at http://www.takebishi.co.jp/.

ANALYSIS
--------

The product presents various security vulnerabilities, allowing an attacker
with access to the OPC interface to arbitrarily read and write the process
memory, leading to the execution of attacker-provided code.

The vulnerabilities reside in the server implementation of the following OPC
Data Access interface methods:

* IOPCServer::RemoveGroup

By providing specially crafted OPC handles the attacker can force the server
to access arbitrary memory in read/write operations which can be leveraged
to execute arbitrary code in the OPC server.

VULNERABLE VERSIONS
-------------------

The vulnerability has been verified to be present in the following version
of the server:

Server name: DeviceXPlorer HIDIC OPC Server
OPC Server CLSID: {7A28463E-6BAC-4472-BEB9-1F37C2D7DD17}
ProgID: Takebishi.Hidic.1
Version: 3.11.6
OS: Windows XP

The vulnerability was discovered during an OPC server group assessment for a
customer and is not known to be publicly exploited.

WORKAROUND
----------

The vendor has fixed the vulnerability and published an updated version.

ADDITIONAL INFORMATION
----------------------

This vulnerability was found and researched by:

Lluis Mora <llmora (at) neutralbit (dot) com [email concealed]>
Xavier Panadero <xpanadero (at) neutralbit (dot) com [email concealed]>

You can find the latest version of this advisory at:

http://www.neutralbit.com/

Disclosure timeline:

12/Jan/2006: Vendor notified
12/Jan/2006: US-CERT notified
16/Mar/2006: Vendor published public advisory
21/Mar/2006: Neutralbit advisory published

References:

CERT: US-CERT Vulnerability Note VU#926551
CVE: CVE-2007-1319

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus