WellinTech KingView History Server Buffer Overflow Vulnerability
December 21, 2011
Zero Day Initiative (ZDI) has disclosed to ICS-CERT a report
concerning a heap-based buffer overflow vulnerability in
WellinTech's Kingview HistoryServer.exe, which may allow a
remote, unauthenticated attacker to execute arbitrary code.
This vulnerability was reported to ZDI by independent
security researcher Luigi Auriemma.
This vulnerability allows remote attackers to execute
arbitrary code on vulnerable installations of WellinTech
KingView. Authentication is not required to exploit this
vulnerability. Failed exploit attempts will likely result in
denial-of-service (DoS) conditions.
The specific flaw exists within the protocol parsing code
inside nettransdll.dll. The parent service is called
HistoryServer.exe and listens on port 777/tcp. When a packet
with op-code 3 is received, the service allocates memory
from the heap based on the 10th and 11th bytes of the packet
(element count). Packet data is then copied into the
allocated buffer based on the first two bytes of the packet
(packet size). These values can be manipulated to create a
heap overflow and and attacker can exploit this to remotely
execute arbitrary code in the context of the service (Local
System).
This item has been listed on the ICS Vulnerability Reference
page as an upcoming ZDI advisory ZDI-CAN-1261 and was later
published as ZDI-11-351. WellinTech
has produced a patch that is available for download from its
website well in advance of the target date of May 7, 2012.
The following WellinTech KingView version is affected:
- KingView v6.53 (65.30.2010.18018) - Other versions
may also be affected.