Decemeber 2, 2011
(updated December 7, 2011)
(updated January 6, 2012)

Security researcher Luigi Auriemma has discovered and publicly disclosed multiple vulnerabilities in the CoDeSys application developed by Smart Software Solutions Gmbh. At the same time, Celil Unuver of SignalSEC Labs disclosed similar vulnerabilities, and coordinated this disclosure with ICS-CERT and 3S. According to information obtained, none of the PoC developed by Unuver has been released publicly.

1)  Integer Overflow
An integer overflow error in the Gateway service when processing certain requests can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to port 1217/tcp.  Attackers can exploit these issues to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition.
(Credit: Luigi Auriemma)

2)  Stack Overflow
A boundary error in the Control service when processing web requests can be exploited to cause a stack-based buffer overflow via an overly long URL sent to port 8080/tcp. Attackers can exploit these issues to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition.
(Credit: Celil Unuver, Luigi Auriemma)

3)  Content-Length Null Pointer
A NULL pointer dereference error in the CmbWebserver.dll module of the Control service when processing HTTP POST requests can be exploited to deny processing further requests via a specially crafted "Content-Length" header sent to port 8080/tcp.  Attackers can exploit these issues to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition.
(Credit: Luigi Auriemma)

4)  Invalid HTTP Request Null Pointer
A second NULL pointer dereference error in the CmbWebserver.dll module of the Control service when processing web requests can be exploited to deny processing further requests by sending a request with an unknown HTTP method to port 8080/tcp.
(Credit: Luigi Auriemma)

5)  Folders Creation
An error in the Control service when processing web requests containing a non-existent directory can be exploited to create arbitrary directories within the webroot via requests sent to port 8080/tcp. Exploitation of this vulnerability results in the creation of arbitrary directories.
(Credit: Luigi Auriemma)

ICS-CERT has coordinated these vulnerabilities with 3S Smart Software Solutions, and they have produced new versions for both CoDeSys v3 and v2.3 that mitigate these vulnerabilities. Mr. Auriemma has confirmed that the new versions fully resolve the reported vulnerabilities. 

ICSA-12-006-01
ICS-ALERT-11-336-01A
ICS-ALERT-11-336-01

CoDeSys Product Info
CoDeSys Product Update Download (includes Free Trial Download)

Metasploit Framework (exploits/windows/scada/codesys_web_server.rb)
Exploit-DB ID 18187
Security Focus (ID 50849)
Security Focus (ID 50854)
Additional PoC links available in Disclosure Reference by Luigi Auriemma

CVE-2011-5008 (Integer Overflow)
NVD CVE-2011-5008
CVE-2011-5007 (Stack Overflow)
NVD CVE-2011-5007
CVE-2011-5009 (Content-Length/Invalid HTTP Request NULL Pointer)
NVD CVE-2011-5009

Disclosure (Luigi Auriemma)
Exploit-DB ID 18187
Open-Source Vulnerability Database #77386
Open-Source Vulnerability Database #77387
Open-Source Vulnerability Database #77388
Open-Source Vulnerability Database #77389
Secunia Advisory #47018
Secunia Vulnerability Report and Statistics on CoDeSys 3.x
Security Focus Vulnerability Info and Exploit Bugtraq ID 50849
Security Focus Vulnerability Info and Exploit Bugtraq ID 50854
Security Vulns ID #12069

Multiple Vulnerabilities for CoDeSys (ISSSource)
More Holes in CoDeSys Line (ISSSource)
Another SCADA Vulnerability Found (ISSSource)