header-logo
Suggest Exploit
vendor:
RSLogix
by:
Luigi Auriemma
7.5
CVSS
HIGH
Denial of Service
119
CWE
Product Name: RSLogix
Affected Version From: <= 19 (RsvcHost.exe 2.30.0.23)
Affected Version To: <= 19 (RsvcHost.exe 2.30.0.23)
Patch Exists: NO
Related CWE: N/A
CPE: //a:rockwellautomation:rslogix:19
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2011

Denial of Service in Rockwell RSLogix

RsvcHost.exe and RNADiagReceiver.exe listen on ports 4446 and others. These services use RnaUtility.dll which doesn't handle the 32bit size field located in the 'rna' packets with results like a memset zero overflow and invalid read access.

Mitigation:

No fix.
Source

Exploit-DB raw data:

#######################################################################

                             Luigi Auriemma

Application:  Rockwell RSLogix
              http://www.rockwellautomation.com/rockwellsoftware/design/rslogix5000/
Versions:     <= 19 (RsvcHost.exe 2.30.0.23)
Platforms:    Windows
Bug:          Denial of Service
Exploitation: remote
Date:         13 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"With RSLogix 5000 programming software, you need only one software
package for discrete, process, batch, motion, safety and drive-based
application."


#######################################################################

======
2) Bug
======


RsvcHost.exe and RNADiagReceiver.exe listen on ports 4446 and others.

These services use RnaUtility.dll which doesn't handle the 32bit size
field located in the "rna" packets with results like a memset zero
overflow and invalid read access.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/rslogix_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17843.zip

  nc SERVER 4446 < rslogix_1a.dat
  nc SERVER 4446 < rslogix_1b.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Navigation

Suggest Exploit

Services By CQR