DATAC RealWin SCADA Server TAG function stack overflow

Added: 04/20/2011
CVE: CVE-2011-1563
BID: 46937

Background

RealWin is a Supervisory Control and Data Acquisition (SCADA) server which is distributed by DATAC.

Problem

A buffer overflow vulnerability in RealWin Server allows remote attackers to execute arbitrary commands by sending a long, specially crafted FC_CTAGLIST_FCS_CADDTAG, FC_CTAGLIST_FCS_CDELTAG or FC_CTAGLIST_FCS_ADDTAGMS packet.

Resolution

Block access to port 910/TCP.

References

http://aluigi.org/adv/realwin_3-adv.txt
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-04.pdf
http://secunia.com/advisories/43848

Limitations

This exploit works against RealFlex RealWin SCADA System 1.6a on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802, and on Windows Server 2008 SP2 English (DEP AlwaysOff).

Platforms

Windows Server 2003
Windows Server 2008

Back to exploit index