CVE-2012-3815
published 2012-06-27CVE-2012-3815: Buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA before 2.07.18 allows remote attackers to execute…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
44.34%
98.6th percentile
Buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA before 2.07.18 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 46824. NOTE: some of these details are obtained from third party information.
Affected
56 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sielcosistemi | winlog_lite | <= 2.07.14 | — |
| sielcosistemi | winlog_lite | <= 2.07.16 | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14
- →Alert on TCP connections to port 46824 carrying oversized packets (>= 2000 bytes of random alpha data followed by a second packet containing 0x14 repeated 10 times) targeting the RunTime.exe SCADA service. ↗
- →Detect the two-stage exploit pattern: a first TCP packet of ~2000+ bytes (shellcode/egg placement) followed immediately by a second packet containing the byte sequence 0x14 0x14 0x14 0x14 0x14 0x14 0x14 0x14 0x14 0x14 as the crash trigger on port 46824. ↗
- →Monitor for egghunter shellcode patterns in TCP payloads on port 46824, as the exploit uses a two-stage egghunter technique to locate and execute the payload. ↗
- →Flag any process spawned by RunTime.exe on Windows SCADA hosts, as successful exploitation results in arbitrary code execution under the RunTime.exe process context. ↗
- ·The Metasploit module targets versions 2.07.14–2.07.16; the NVD advisory states the vulnerability is fixed in 2.07.18, so versions 2.07.17 may also be affected but are not covered by the public exploit module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j7fr-8w47-9f6w: Stack-based buffer overflow in RunTime
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2012-4353 [CRITICAL] CWE-119 GHSA-j7fr-8w47-9f6w: Stack-based buffer overflow in RunTime
Stack-based buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 allows remote attackers to execute arbitrary code via a crafted port-46824 TCP packet that triggers an incorrect file-open attempt by the _TCPIPS_BinOpenFileFP function, a different vulnerability than CVE-2012-3815. NOTE: some of these details are obtained from third party information.
GHSA
GHSA-ffjv-cr82-26g3: Buffer overflow in RunTime
ghsa_unreviewed·2022-05-17
CVE-2012-3815 [HIGH] CWE-119 GHSA-ffjv-cr82-26g3: Buffer overflow in RunTime
Buffer overflow in RunTime.exe in Sielco Sistemi Winlog Pro SCADA before 2.07.18 and Winlog Lite SCADA before 2.07.18 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 46824. NOTE: some of these details are obtained from third party information.
CISA ICS
Sielco Sistemi Winlog Multiple Vulnerabilities (Update A)
cisa_ics·2012-07-31·CVSS 9.3
[CRITICAL] Sielco Sistemi Winlog Multiple Vulnerabilities (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Sielco Sistemi Winlog Multiple Vulnerabilities (Update A)
Last RevisedSeptember 06, 2018
Alert CodeICSA-12-213-01A
## OVERVIEW
This updated advisory is a follow-up to the original advisory titled ICSA-12-213-01 - Sielco Sistemi Winlog Multiple Vulnerabilities that was published July 31, 2012, on the NCCIC/ICS-CERT web site. The updated advisory matches new CVE identifiers up with other publicly available vulnerability disclosuresSecunia Advisory SA49395, http://secunia.com/community/advisories/49395, web site last accessed March 18, 2014. and databases.OSVDB, http://web.nvd.nist
No detection rules found.
Exploit-DB
Sielco Sistemi Winlog 2.07.16 - Multiple Vulnerabilities
exploitdb·2012-06-27
CVE-2012-4357 Sielco Sistemi Winlog 2.07.16 - Multiple Vulnerabilities
Sielco Sistemi Winlog 2.07.16 - Multiple Vulnerabilities
---
#######################################################################
Luigi Auriemma
Application: Sielco Sistemi Winlog
http://www.sielcosistemi.com/en/products/winlog_scada_hmi/
Versions: Options->TCP/IP" section of the project we want to run
and Runtime.exe will listen on the TCP port 46824.
The part of the server running on this port uses a static buffer of
0x119 bytes to handle the incoming data so all the vulnerabilities
explained below can be exploited using these fixed addresses.
Then the exception handler used by the server allows to perform many
attempts without altering the normal work of the program.
A] DbiGetRecordCount code execution
DbfIntf.DbiGetRecordCount:
0038354B 8B10 MOV EDX,DWORD PTR DS:[EAX]
00383
Exploit-DB
Sielco Sistemi Winlog 2.07.14 - Remote Buffer Overflow (Metasploit)
exploitdb·2012-06-08
CVE-2012-3815 Sielco Sistemi Winlog 2.07.14 - Remote Buffer Overflow (Metasploit)
Sielco Sistemi Winlog 2.07.14 - Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Sielco Sistemi Winlog Buffer Overflow 2.07.14',
'Description' => %q{
This module exploits a buffer overflow in Sielco Sistem Winlog MSF_LICENSE,
'Author' =>
[
'm-1-k-3 '
],
'References' =>
[
[ 'BID', '53811'],
[ 'URL', 'http://www.s3cur1ty.de' ],
[ 'URL', 'http://www.sielcosistemi.com/en/download/public/winlog_lite.html' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 2
Metasploit
Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16
metasploit
Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16
Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16
This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.16. When sending a specially formatted packet to the Runtime.exe service on port 46824, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2012-06/0009.htmlhttp://secunia.com/advisories/49395http://securitytracker.com/id?1027128http://www.osvdb.org/82654http://www.s3cur1ty.de/m1adv2012-001http://www.securityfocus.com/bid/53811http://www.sielcosistemi.com/en/news/index.html?id=69http://www.sielcosistemi.com/en/news/index.html?id=70http://www.us-cert.gov/control_systems/pdf/ICSA-12-213-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/76060http://archives.neohapsis.com/archives/bugtraq/2012-06/0009.htmlhttp://secunia.com/advisories/49395http://securitytracker.com/id?1027128http://www.osvdb.org/82654http://www.s3cur1ty.de/m1adv2012-001http://www.securityfocus.com/bid/53811http://www.sielcosistemi.com/en/news/index.html?id=69http://www.sielcosistemi.com/en/news/index.html?id=70http://www.us-cert.gov/control_systems/pdf/ICSA-12-213-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/76060
2012-06-27
Published