CVE-2012-4356
published 2012-08-19CVE-2012-4356: Multiple directory traversal vulnerabilities in Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 allow remote attackers to…
PriorityP344medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
27.49%
97.8th percentile
Multiple directory traversal vulnerabilities in Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 allow remote attackers to read arbitrary files via port-46824 TCP packets specifying a file-open operation with opcode 0x78 and a .. (dot dot) in a pathname, followed by a file-read operation with opcode (1) 0x96, (2) 0x97, or (3) 0x98.
Affected
54 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sielcosistemi | winlog_lite | <= 2.07.16 | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
| sielcosistemi | winlog_lite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts targeting port 46824/TCP — look for TCP packets to this port containing '..' (dot dot) sequences in the payload, particularly following an opcode 0x78 file-open operation. ↗
- →Alert on TCP traffic to port 46824 where the payload contains opcode bytes 0x96, 0x97, or 0x98 (file-read operations), especially when preceded by an opcode 0x78 open request — this two-stage sequence is the full exploit pattern. ↗
- →Monitor for unexpected inbound connections to port 46824/TCP on SCADA hosts running Runtime.exe (Sielco Sistemi Winlog), especially from external or untrusted network segments. ↗
- ·Vulnerability affects Winlog Pro and Winlog Lite versions prior to 2.07.17; the Metasploit module was validated against Winlog Lite 2.07.14 specifically — detections should account for both product lines. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mv85-fm4m-5g93: Multiple directory traversal vulnerabilities in Sielco Sistemi Winlog Pro SCADA before 2
ghsa_unreviewed·2022-05-17
CVE-2012-4356 [MEDIUM] CWE-22 GHSA-mv85-fm4m-5g93: Multiple directory traversal vulnerabilities in Sielco Sistemi Winlog Pro SCADA before 2
Multiple directory traversal vulnerabilities in Sielco Sistemi Winlog Pro SCADA before 2.07.17 and Winlog Lite SCADA before 2.07.17 allow remote attackers to read arbitrary files via port-46824 TCP packets specifying a file-open operation with opcode 0x78 and a .. (dot dot) in a pathname, followed by a file-read operation with opcode (1) 0x96, (2) 0x97, or (3) 0x98.
CISA ICS
Sielco Sistemi Winlog Multiple Vulnerabilities (Update A)
cisa_ics·2012-07-31·CVSS 9.3
[CRITICAL] Sielco Sistemi Winlog Multiple Vulnerabilities (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Sielco Sistemi Winlog Multiple Vulnerabilities (Update A)
Last RevisedSeptember 06, 2018
Alert CodeICSA-12-213-01A
## OVERVIEW
This updated advisory is a follow-up to the original advisory titled ICSA-12-213-01 - Sielco Sistemi Winlog Multiple Vulnerabilities that was published July 31, 2012, on the NCCIC/ICS-CERT web site. The updated advisory matches new CVE identifiers up with other publicly available vulnerability disclosuresSecunia Advisory SA49395, http://secunia.com/community/advisories/49395, web site last accessed March 18, 2014. and databases.OSVDB, http://web.nvd.nist
No detection rules found.
Exploit-DB
Sielco Sistemi Winlog 2.07.16 - Multiple Vulnerabilities
exploitdb·2012-06-27
CVE-2012-4357 Sielco Sistemi Winlog 2.07.16 - Multiple Vulnerabilities
Sielco Sistemi Winlog 2.07.16 - Multiple Vulnerabilities
---
#######################################################################
Luigi Auriemma
Application: Sielco Sistemi Winlog
http://www.sielcosistemi.com/en/products/winlog_scada_hmi/
Versions: Options->TCP/IP" section of the project we want to run
and Runtime.exe will listen on the TCP port 46824.
The part of the server running on this port uses a static buffer of
0x119 bytes to handle the incoming data so all the vulnerabilities
explained below can be exploited using these fixed addresses.
Then the exception handler used by the server allows to perform many
attempts without altering the normal work of the program.
A] DbiGetRecordCount code execution
DbfIntf.DbiGetRecordCount:
0038354B 8B10 MOV EDX,DWORD PTR DS:[EAX]
00383
Metasploit
Sielco Sistemi Winlog Remote File Access
metasploit
Sielco Sistemi Winlog Remote File Access
Sielco Sistemi Winlog Remote File Access
This module exploits a directory traversal in Sielco Sistemi Winlog. The vulnerability exists in the Runtime.exe service and can be triggered by sending a specially crafted packet to the 46824/TCP port. This module has been successfully tested on Sielco Sistemi Winlog Lite 2.07.14.
No writeups or analysis indexed.
http://aluigi.org/adv/winlog_2-adv.txthttp://secunia.com/advisories/49395http://www.sielcosistemi.com/en/news/index.html?id=69http://www.us-cert.gov/control_systems/pdf/ICSA-12-213-01.pdfhttp://aluigi.org/adv/winlog_2-adv.txthttp://secunia.com/advisories/49395http://www.sielcosistemi.com/en/news/index.html?id=69http://www.us-cert.gov/control_systems/pdf/ICSA-12-213-01.pdf
2012-08-19
Published