1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Attack: RealWin SCADA

Attack: RealWin SCADA

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempt to exploit remote buffer overflow vulnerability in DATAC RealWin SCADA Server.

Additional Information

DATAC RealWin is a SCADA (Supervisory Control And Data Acquisition) server for Microsoft Windows platforms.

RealWin is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data. The following issues exist:

1. A stack-overflow vulnerability in the '004be510()' function when handling 'On_FC_CONNECT_FCS_LOGIN' packets with a long username.

2. A stack-overflow vulnerability in the '0042f770()' function when handling 'On_FC_CTAGLIST_FCS_CADDTAG', 'On_FC_CTAGLIST_FCS_CDELTAG', or 'On_FC_CTAGLIST_FCS_ADDTAGMS' packets with long input strings.

3. A stack-overflow in the '0042f670()' function when handling 'On_FC_CTAGLIST_FCS_CADDTAG', 'On_FC_CTAGLIST_FCS_CDELTAG', or 'On_FC_CTAGLIST_FCS_ADDTAGMS' packets with long input strings.

4. A stack-overflow vulnerability in the '0042f9c0()' function when handling 'On_FC_CTAGLIST_FCS_CADDTAG', 'On_FC_CTAGLIST_FCS_CDELTAG', or 'On_FC_CTAGLIST_FCS_ADDTAGMS' packets with long input strings.

5. A stack-overflow vulnerability in the '00437500()' function when handling 'On_FC_RFUSER_FCS_LOGIN' packets with a long username.

6. A stack-overflow vulnerability in the '004275b0()' function when handling various 'On_FC_BINFILE_FCS_*FILE' packets containing a long filename.

7. A stack-overflow vulnerability in the '0042f770()' function when handling various 'On_FC_BINFILE_FCS_*FILE' packets containing a long filename.

8. A stack-overflow vulnerability in the '0042f670()' function when handling various 'On_FC_BINFILE_FCS_*FILE' packets containing a long filename.

9. A stack-overflow vulnerability in the '0042f9c0()' function when handling various 'On_FC_BINFILE_FCS_*FILE' packets containing a long filename.

10. A stack-overflow vulnerability in the '00427790()' function when handling various 'On_FC_BINFILE_FCS_*FILE' packets containing a long filename.

11. A stack-overflow vulnerability in the '004280b0()' function when handling various 'On_FC_BINFILE_FCS_*FILE' packets containing a long filename.

12. A stack-overflow vulnerability in the '00427880()' function when handling various 'On_FC_BINFILE_FCS_*FILE' packets containing a long filename.

13. An integer-overflow vulnerability in the '004326f0()' function when handling 'OnFC_MISC_FCS_MSGBROADCAST' or 'OnFC_MISC_FCS_MSGSEND' packets.

14. An integer-overflow vulnerability in the '00432ae0()' function when handling 'OnFC_MISC_FCS_MSGBROADCAST' or 'OnFC_MISC_FCS_MSGSEND' packets.

15. A stack-overflow vulnerability in the '00467050()' function when handling 'On_FC_CGETTAG_FCS_GETTELEMETRY', 'On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY', 'On_FC_CGETTAG_FCS_SETTELEMETRY', or 'On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY' packets.

16. A stack-overflow vulnerability in the '00467520()' function when handling 'On_FC_CGETTAG_FCS_GETTELEMETRY', 'On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY', 'On_FC_CGETTAG_FCS_SETTELEMETRY', or 'On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY' packets.

17. A stack-overflow vulnerability in the '00467860()' function when handling 'On_FC_CGETTAG_FCS_GETTELEMETRY', 'On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY', 'On_FC_CGETTAG_FCS_SETTELEMETRY', or 'On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY' packets.

18. A stack-overflow vulnerability in the '00467ce0()' function when handling 'On_FC_CGETTAG_FCS_GETTELEMETRY', 'On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY', 'On_FC_CGETTAG_FCS_SETTELEMETRY', or 'On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY' packets.

19. A stack-overflow vulnerability in the '00439620()' function when handling 'On_FC_SCRIPT_FCS_STARTPROG' packets.

Attackers can leverage these issues to execute arbitrary code in the context of the application. Failed exploit attempts will cause a denial-of-service condition.

Affected

  • DATAC RealWin versions 2.1 and prior are vulnerable; other versions may also be affected.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube