Multiple vulnerabilities in Takebishi Electric DeviceXplorer MODBUS OPC server ============================================================================ == OPC servers provide a standard way to interoperate automation and control systems, bridging data from several industrial protocols such as DNP3, MODBUS, etc. to a more standard data access interface. They are often used in SCADA systems to consolidate network device information in a single point; as such OPC servers are usually considered critical applications. Takebishi Electric commercialises an OPC Server ("Takebishi.MODBUS.1"), more information is available at http://www.takebishi.co.jp/. ANALYSIS -------- The product presents various security vulnerabilities, allowing an attacker with access to the OPC interface to arbitrarily read and write the process memory, leading to the execution of attacker-provided code. The vulnerabilities reside in the server implementation of the following OPC Data Access interface methods: * IOPCServer::RemoveGroup By providing specially crafted OPC handles the attacker can force the server to access arbitrary memory in read/write operations which can be leveraged to execute arbitrary code in the OPC server. VULNERABLE VERSIONS ------------------- The vulnerability has been verified to be present in the following version of the server: Server name: DeviceXPlorer MODBUS OPC Server OPC Server CLSID: {31A50D31-56E5-4BC2-9FDB-F55E7AD3854E} ProgID: Takebishi.Modbus.1 Version: 3.11.6 OS: Windows XP The vulnerability was discovered during an OPC server group assessment for a customer and is not known to be publicly exploited. WORKAROUND ---------- The vendor has fixed the vulnerability and published an updated version. ADDITIONAL INFORMATION ---------------------- This vulnerability was found and researched by: Lluis Mora Xavier Panadero You can find the latest version of this advisory at: http://www.neutralbit.com/ Disclosure timeline: 12/Jan/2006: Vendor notified 12/Jan/2006: US-CERT notified 16/Mar/2006: Vendor published public advisory 21/Mar/2006: Neutralbit advisory published References: CERT: US-CERT Vulnerability Note VU#926551 CVE: CVE-2007-1319