Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CVEs for RootedCon Yokogawa modules #3336

Merged
merged 1 commit into from May 5, 2014
Merged

Update CVEs for RootedCon Yokogawa modules #3336

merged 1 commit into from May 5, 2014

Conversation

todb-r7
Copy link

@todb-r7 todb-r7 commented May 5, 2014

Noticed they were nicely documented at

http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html

We apparently never updated with CVE numbers.

Verification steps

  • Check the info on the affected modules, see the new CVEs.

@jvazquez-r7
Copy link
Contributor

Processing...

@jvazquez-r7
Copy link
Contributor 

msf > use exploit/windows/scada/yokogawa_bk
use exploit/windows/scada/yokogawa_bkbcopyd_bof  use exploit/windows/scada/yokogawa_bkhodeq_bof
msf > use exploit/windows/scada/yokogawa_bkbcopyd_bof
msf exploit(yokogawa_bkbcopyd_bof) > info

       Name: Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow
     Module: exploit/windows/scada/yokogawa_bkbcopyd_bof
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  juan vazquez <juan.vazquez@metasploit.com>
  Redsadic <julian.vilas@gmail.com>

Available targets:
  Id  Name
  --  ----
  0   Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3

Basic options:
  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  RHOST                   yes       The target address
  RPORT  20111            yes       The target port

Payload information:
  Space: 373
  Avoid: 4 characters

Description:
  This module exploits a stack based buffer overflow in Yokogawa
  CENTUM CS 3000. The vulnerability exists in the service BKBCopyD.exe
  when handling specially crafted packets. This module has been tested
  successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP
  SP3.

References:
  http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
  https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
  http://cvedetails.com/cve/2014-0784/

msf exploit(yokogawa_bkbcopyd_bof) > use exploit/windows/scada/yokogawa_bk
use exploit/windows/scada/yokogawa_bkbcopyd_bof  use exploit/windows/scada/yokogawa_bkhodeq_bof
msf exploit(yokogawa_bkbcopyd_bof) > use exploit/windows/scada/yokogawa_bkhodeq_bof
msf exploit(yokogawa_bkhodeq_bof) > info

       Name: Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow
     Module: exploit/windows/scada/yokogawa_bkhodeq_bof
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Average

Provided by:
  juan vazquez <juan.vazquez@metasploit.com>
  Redsadic <julian.vilas@gmail.com>

Available targets:
  Id  Name
  --  ----
  0   Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]

Basic options:
  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  RHOST                   yes       The target address
  RPORT  20171            yes       The target port

Payload information:
  Space: 6000
  Avoid: 3 characters

Description:
  This module exploits a stack based buffer overflow in Yokogawa
  CENTUM CS 3000. The vulnerability exists in the service BKHOdeq.exe
  when handling specially crafted packets. This module has been tested
  successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3
  and Windows 2003 SP2.

References:
  http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
  https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
  http://cvedetails.com/cve/2014-0783/

msf exploit(yokogawa_bkhodeq_bof) > use auxiliary/dos/scada/yokogawa_logsvr
msf auxiliary(yokogawa_logsvr) > info

       Name: Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow
     Module: auxiliary/dos/scada/yokogawa_logsvr
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  juan vazquez <juan.vazquez@metasploit.com>
  Redsadic <julian.vilas@gmail.com>

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOST                    yes       The target address
  RLIMIT  10               yes       Number of packets to send
  RPORT   52302            yes       The target port

Description:
  This module abuses a buffer overflow vulnerability to trigger a
  Denial of Service of the BKCLogSvr component in the Yokogaca CENTUM
  CS 3000 product. The vulnerability exists in the handling of
  malformed log packets, with an unexpected long level field. The root
  cause of the vulnerability is a combination of usage of
  uninitialized memory from the stack and a dangerous string copy.
  This module has been tested successfully on Yokogawa CENTUM CS 3000
  R3.08.50.

References:
  http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
  https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
  http://cvedetails.com/cve/2014-0781/

msf auxiliary(yokogawa_logsvr) > exit -y

@jvazquez-r7 jvazquez-r7 merged commit 3072c2f into rapid7:master May 5, 2014
jvazquez-r7 added a commit that referenced this pull request May 5, 2014
@jvazquez-r7
Land #3336, @todb-r7's CVEs addition
b81f94a
@todb-r7 todb-r7 deleted the update-yokogawa-cves branch November 25, 2014 17:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@todb-r7 @jvazquez-r7