Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Siemens Automation License Manager - exploit.company
header-logo
Suggest Exploit
vendor:
Automation License Manager
by:
Luigi Auriemma
7.5
CVSS
HIGH
Buffer overflow, code execution, service exceptions
119
CWE
Product Name: Automation License Manager
Affected Version From: <= 500.0.122.1
Affected Version To:
Patch Exists: YES
Related CWE:
CPE: a:siemens:automation_license_manager
Metasploit:
Other Scripts:
Platforms Tested: Windows
2011

Siemens Automation License Manager

Siemens Automation License Manager is vulnerable to a buffer overflow in the handling of the serialid field used in the *_licensekey commands, which can lead to code execution. Additionally, there are vulnerabilities that can be exploited to raise exceptions in the service.

Mitigation:

Apply the provided fix or update to a patched version of the software.
Source

Exploit-DB raw data:

#######################################################################

                             Luigi Auriemma

Application:  Siemens Automation License Manager
              http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&objid=10805384&treeLang=en
Versions:     <= 500.0.122.1
Platforms:    Windows
Bugs:         A] Service *_licensekey serialid code execution
              B] Service exceptions
              C] Service NULL pointer
              D] almaxcx.dll files overwriting
Exploitation: remote
Date:         28 Nov 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Siemens Automation License Manager is the system used by Siemens for
handling the remote and local licenses of its HMI, SCADA and
industrial products.
This service is available in most of the products and it's necessary to
their usage.


#######################################################################

=======
2) Bugs
=======


--------------------------------------------
Service *_licensekey serialid code execution
--------------------------------------------

Buffer overflow in the handling of the serialid field used in the
various *_licensekey commands that share the same function for parsing
the parameters.
The vulnerability leads to code execution:

  011C7D96   8B01             MOV EAX,DWORD PTR DS:[ECX]
  011C7D98   8B10             MOV EDX,DWORD PTR DS:[EAX]    ; controlled
  011C7D9A   6A 01            PUSH 1
  011C7D9C   FFD2             CALL EDX


---------------------
B] Service exceptions
---------------------

Some long fields can be used to raise an exception:

  The exception unknown software exception (0xc0000417) occurred in
  the application at location 0x????????.

The exception is caused by the usage of wcscpy_s in some functions
that copy the values passed by the client into stack buffers.
This is what happens with open_session->workstation->NAME (function
00412060) or grant->VERSION and so on.

Note that in some systems the exception doesn't lead to a direct Denial
of Service (except the resources for the thread left active).


-----------------------
C] Service NULL pointer
-----------------------

NULL pointer dereference in the handling of the get_target_ocx_param
and send_target_ocx_param commands.

Note that in some systems the exception doesn't lead to a direct Denial
of Service (except the resources for the thread left active).


--------------------------------
D] almaxcx.dll files overwriting
--------------------------------

The almaxcx.dll ActiveX component (ALMListView.ALMListCtrl
E57AF4A2-EF57-41D0-8512-FECDA78F1FE7) has a Save method that allows to
specify an arbitrary filename to save.
The effect is the overwriting of any file with this empty one (just 2
bytes "\r\n").

Note that I can't exclude the possibility of controlling the content of
the saved file allowing code execution, indeed I didn't test the
component deeper to check this hypothesis so it remains open and who
has more experience than me with this component can confirm it or not.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/almsrvx_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18165.zip

A]
  almsrvx_1 almsrvx_1a.dat SERVER

B]
  almsrvx_1 almsrvx_1b1.dat SERVER
  almsrvx_1 almsrvx_1b2.dat SERVER

C]
  almsrvx_1 almsrvx_1c.dat SERVER

D]
  almsrvx_1d.htm


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Navigation

Suggest Exploit

Services By CQR