CVE-2011-1567
published 2011-04-05CVE-2011-1567: Multiple stack-based buffer overflows in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allow remote…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.62%
99.3th percentile
Multiple stack-based buffer overflows in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted (1) ListAll, (2) Write File, (3) ReadFile, (4) Delete, (5) RenameFile, and (6) FileInfo commands in an 0xd opcode; (7) the Add, (8) ReadFile, (9) Write File, (10) Rename, (11) Delete, and (12) Add commands in an RMS report templates (0x7) opcode; and (13) 0x4 command in an STDREP request (0x8) opcode to TCP port 12401.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00
bytes↗
\x00\x04\x01\x00\x34\x12\x07\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00
- →Detect exploitation of CVE-2011-1567 by monitoring for oversized TCP payloads to port 12401 containing opcode bytes 0x0D (ListAll/WriteFile/ReadFile/Delete/RenameFile/FileInfo), 0x07 (RMS report template commands Add/ReadFile/WriteFile/Rename/Delete), or 0x08 (STDREP command 0x04). The packet header pattern starts with \x00\x04\x01\x00\x34\x12 followed by the opcode byte. ↗
- →Monitor TCP port 12397 for directory traversal sequences in opcode 0x0A or 0x17 payloads sent to dc.exe, which can be used to execute arbitrary executables on disk. ↗
- →The Metasploit exploit for the ListAll command uses eggtag 'w00t' for the egghunter stage. Scanning memory or network traffic for this egg tag can identify active exploitation attempts. ↗
- →The Metasploit exploit for the Rename command uses eggtag 'W00T' for the egghunter stage. Scanning memory or network traffic for this egg tag can identify active exploitation attempts. ↗
- →The STDREP (opcode 0x8) command 0x4 overflow is triggered via a SQL query built with sprintf into a 256-byte stack buffer using the format string 'UPDATE ReportFormats SET RMSref={%s} WHERE (FormatID=%d)'. Oversized input to this path causes the overflow. ↗
- →The exploit uses a ROP pivot gadget in dao360.dll at address 0x1b77ca8c (ADD ESP,1388; RETN) for DEP bypass on Windows XP SP3/2003 Server R2 SP2. Presence of this ROP gadget address in network traffic to port 12401 is a strong indicator of exploitation. ↗
- →The Rename exploit uses a ROP pivot in MSJET40.dll at 0x1B0938B8 (ADD ESP,910; RETN 10) for Windows XP SP3 and 0x1B093622 for Windows Server 2003 SP2/R2 SP2. These addresses in TCP payloads to port 12401 indicate exploitation. ↗
- →The exploit attack is unauthenticated — no credentials are required to trigger the buffer overflow on IGSSdataServer.exe port 12401. Any unexpected large TCP connection to port 12401 from external hosts should be treated as suspicious. ↗
- ·The vulnerability affects IGSSdataServer.exe version 9.00.00.11063 and earlier. Versions beyond this are not confirmed vulnerable. ↗
- ·The STDREP (opcode 0x8, command 0x4) and RMS opcode 0x7 overflows were noted as not clearly exploitable for code execution at time of disclosure, though DoS is confirmed. ↗
- ·The Metasploit Rename exploit relies on a three-stage attack: first injecting payload into memory, then sending an Add command to obtain a valid ID, then triggering the Rename overflow with an egghunter. Single-stage detection may miss the full attack chain. ↗
- ·The ROP chains in the public exploits reference specific DLL versions (dao360.dll, MSJET40.dll, msjtes40.dll) that must be present on the target. ROP gadget addresses will differ if different DLL versions are loaded. ↗
- ·After payload execution, IGSSdataServer.exe is expected to automatically recover, which may complicate post-exploitation forensics. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
7-Technologies IGSS 9 - IGSSdataServer .Rms Rename Buffer Overflow (Metasploit)
exploitdb·2011-06-09
CVE-2011-1567 7-Technologies IGSS 9 - IGSSdataServer .Rms Rename Buffer Overflow (Metasploit)
7-Technologies IGSS 9 - IGSSdataServer .Rms Rename Buffer Overflow (Metasploit)
---
##
# $Id: igss9_igssdataserver_rename.rb 12886 2011-06-09 06:04:04Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying
a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,
a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS r
Exploit-DB
7-Technologies IGSS 9.00.00 b11063 - 'IGSSdataServer.exe' Remote Stack Overflow (Metasploit)
exploitdb·2011-05-16
CVE-2011-1567 7-Technologies IGSS 9.00.00 b11063 - 'IGSSdataServer.exe' Remote Stack Overflow (Metasploit)
7-Technologies IGSS 9.00.00 b11063 - 'IGSSdataServer.exe' Remote Stack Overflow (Metasploit)
---
##
# $Id: igss9_igssdataserver_listall.rb 12639 2011-05-16 19:30:17Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "7-Technologies IGSS %q{
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies
IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application
fails to do proper bounds checking before copying data into a small buffer on the stack.
This causes a buffer overflow an
Exploit-DB
7-Technologies IGSS 9.00.00.11059 - Multiple Vulnerabilities
exploitdb·2011-03-22
CVE-2011-1568 7-Technologies IGSS 9.00.00.11059 - Multiple Vulnerabilities
7-Technologies IGSS 9.00.00.11059 - Multiple Vulnerabilities
---
Sources:
http://aluigi.org/adv/igss_1-adv.txt
http://aluigi.org/adv/igss_2-adv.txt
http://aluigi.org/adv/igss_3-adv.txt
http://aluigi.org/adv/igss_4-adv.txt
http://aluigi.org/adv/igss_5-adv.txt
http://aluigi.org/adv/igss_6-adv.txt
http://aluigi.org/adv/igss_7-adv.txt
http://aluigi.org/adv/igss_8-adv.txt
Advisory Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17024-adv.tar.gz (igss_adv.tar.gz)
PoC Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17024-poc.tar.gz (igss_poc.tar.gz)
#######################################################################
Luigi Auriemma
Application: IGSS (Interactive Graphical SCADA System)
http://www.igss.com
Metasploit
7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow
metasploit
7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow
7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution. Also, after the payload exits, IGSSdataServer.exe should automatically recover.
Metasploit
7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow
metasploit
7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow
7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow
This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command, a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report, which results arbitrary code execution under the context of the user. The attack is carried out in three stages. The first stage sends the final payload to IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command so the process can find a valid ID for the Rename command. The last stage then triggers the vulnerability with the Rename command, and uses an egghunter to search for the shellcode that we sent in stage 1. The use of egghunter appears
No writeups or analysis indexed.
http://aluigi.org/adv/igss_2-adv.txthttp://aluigi.org/adv/igss_3-adv.txthttp://aluigi.org/adv/igss_4-adv.txthttp://aluigi.org/adv/igss_5-adv.txthttp://aluigi.org/adv/igss_7-adv.txthttp://secunia.com/advisories/43849http://securityreason.com/securityalert/8179http://securityreason.com/securityalert/8251http://www.exploit-db.com/exploits/17024http://www.securityfocus.com/bid/46936http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-03.pdfhttp://www.vupen.com/english/advisories/2011/0741http://aluigi.org/adv/igss_2-adv.txthttp://aluigi.org/adv/igss_3-adv.txthttp://aluigi.org/adv/igss_4-adv.txthttp://aluigi.org/adv/igss_5-adv.txthttp://aluigi.org/adv/igss_7-adv.txthttp://secunia.com/advisories/43849http://securityreason.com/securityalert/8179http://securityreason.com/securityalert/8251http://www.exploit-db.com/exploits/17024http://www.securityfocus.com/bid/46936http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-03.pdfhttp://www.vupen.com/english/advisories/2011/0741
2011-04-05
Published