CVE-2011-1563
published 2011-04-05CVE-2011-1563: Multiple stack-based buffer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.64%
99.4th percentile
Multiple stack-based buffer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code via (1) a long username in an On_FC_CONNECT_FCS_LOGIN packet, and crafted (2) On_FC_CTAGLIST_FCS_CADDTAG, (3) On_FC_CTAGLIST_FCS_CDELTAG, (4) On_FC_CTAGLIST_FCS_ADDTAGMS, (5) On_FC_RFUSER_FCS_LOGIN, (6) unspecified "On_FC_BINFILE_FCS_*FILE", (7) On_FC_CGETTAG_FCS_GETTELEMETRY, (8) On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY, (9) On_FC_CGETTAG_FCS_SETTELEMETRY, (10) On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY, and (11) On_FC_SCRIPT_FCS_STARTPROG packets to port 910.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realflex | realwin | <= 2.1 | — |
| realflex | realwin | — | — |
| realflex | realwin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for large/malformed On_FC_CONNECT_FCS_LOGIN packets containing an oversized username field sent to TCP port 910. ↗
- →Monitor TCP port 910 for On_FC_BINFILE_FCS_*FILE packets with oversized filename fields that would overflow the stack buffer used in the inline memcpy routine. ↗
- →Detect On_FC_CGETTAG_FCS_GETTELEMETRY, On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY, On_FC_CGETTAG_FCS_SETTELEMETRY, and On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY packets on port 910 with input strings longer than ~200 bytes (stack buffer size for the sprintf path construction). ↗
- →Detect On_FC_SCRIPT_FCS_STARTPROG packets on port 910 with input strings exceeding ~4096 bytes (stack buffer size). ↗
- →Detect On_FC_MISC_FCS_MSGBROADCAST and On_FC_MISC_FCS_MSGSEND packets on port 910 where the attacker-supplied 32-bit size value is crafted to cause a heap overflow (integer overflow in allocation: size + 0x16). ↗
- ·The vulnerable version is RealWin 2.1 (Build 6.1.10.10) and earlier; the Metasploit module for On_FC_CONNECT_FCS_LOGIN was tested against Build 6.0.10.10, and the On_FC_BINFILE module was tested against version 2.0 (Build 6.1.8.10) — confirm exact build before deploying exploit-based detection. ↗
- ·No vendor fix was available at time of disclosure; detection/mitigation must rely on network-level controls blocking port 910. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
DATAC RealWin - Multiple Vulnerabilities
exploitdb·2011-03-22
CVE-2011-1564 DATAC RealWin - Multiple Vulnerabilities
DATAC RealWin - Multiple Vulnerabilities
---
Sources:
http://aluigi.org/adv/realwin_2-adv.txt
http://aluigi.org/adv/realwin_3-adv.txt
http://aluigi.org/adv/realwin_4-adv.txt
http://aluigi.org/adv/realwin_5-adv.txt
http://aluigi.org/adv/realwin_6-adv.txt
http://aluigi.org/adv/realwin_7-adv.txt
http://aluigi.org/adv/realwin_8-adv.txt
Advisory Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-adv.tar.gz (datac_realwin_adv.tar.gz)
PoC Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-poc.tar.tz (datac_realwin_poc.tar.gz)
#######################################################################
Luigi Auriemma
Application: DATAC RealWin
http://www.dataconline.com/software/realwin.php
http://www.realfl
Metasploit
RealWin SCADA Server DATAC Login Buffer Overflow
metasploit
RealWin SCADA Server DATAC Login Buffer Overflow
RealWin SCADA Server DATAC Login Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.1 (Build 6.0.10.10) or earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN packet containing a long username, an attacker may be able to execute arbitrary code.
Metasploit
DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow
metasploit
DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow
DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow
This module exploits a vulnerability found in DATAC Control International RealWin SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE packet via port 910, RealWin will try to create a file (which would be saved to C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user- supplied filename with an inline memcpy routine without proper bounds checking, which results a stack-based buffer overflow, allowing arbitrary remote code execution. Tested version: 2.0 (Build 6.1.8.10)
No writeups or analysis indexed.
http://aluigi.org/adv/realwin_2-adv.txthttp://aluigi.org/adv/realwin_3-adv.txthttp://aluigi.org/adv/realwin_4-adv.txthttp://aluigi.org/adv/realwin_5-adv.txthttp://aluigi.org/adv/realwin_7-adv.txthttp://aluigi.org/adv/realwin_8-adv.txthttp://secunia.com/advisories/43848http://securityreason.com/securityalert/8176http://www.exploit-db.com/exploits/17025http://www.securityfocus.com/bid/46937http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-04.pdfhttp://www.vupen.com/english/advisories/2011/0742http://aluigi.org/adv/realwin_2-adv.txthttp://aluigi.org/adv/realwin_3-adv.txthttp://aluigi.org/adv/realwin_4-adv.txthttp://aluigi.org/adv/realwin_5-adv.txthttp://aluigi.org/adv/realwin_7-adv.txthttp://aluigi.org/adv/realwin_8-adv.txthttp://secunia.com/advisories/43848http://securityreason.com/securityalert/8176http://www.exploit-db.com/exploits/17025http://www.securityfocus.com/bid/46937http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-04.pdfhttp://www.vupen.com/english/advisories/2011/0742
2011-04-05
Published