IntelliCom NetBiter Hostname Buffer Overflow (Dec 22, 2009)

By

Intellicom NetBiter webSCADA is an embedded Supervisory Control and Data Acquisition solution for various hardware devices, providing remote management through web browsers. NetBiter Config is a configuration utility shipped with NetBiter webSCADA. It is used to enumerate and configure compatible devices on the LAN.

NetBiter Config uses HICP protocol to communicate with the devices. The HICP protocol is a proprietary protocol used to control managed devices in a SCADA environment. The protocol uses UDP/3250 port and contain key=value pairs in plain text, separated by semicolons:

key = value ; key = value ; [...]

The following keys are known:

Configure: xx-xx-xx-xx-xx-xx; Protocol version = ; fb type = ; module version =  mac = xx-xx-xx-xx-xx-xx; hn = ; ip = XXX.XXX.XXX.XXX; sn = XXX.XXX.XXX.XXX; gw = XXX.XXX.XXX.XXX; dhcp = ; pswd = off; dns1 = XXX.XXX.XXX.XXX; dns2 = XXX.XXX.XXX.XXX; password = ; new password = ;

A stack buffer overflow vulnerability exists in Intellicom NetBiter Config utility. The vulnerability is due to missing bounds checking on the value of parameter in incoming HICP packets. The malicious data is copied using the insecure function ‘strcpy’ into a fixed stack buffer. The buffer is part of a larger structure that contains multiple MFC objects, and the structure is later used to call an MFC dialog display function. One of these MFC objects is located after the vulnerable buffer and contains a function pointer. When the vulnerable stack buffer is overflowed, this virtual function can be overwritten and used by an attacker to execute arbitrary code. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted UDP packet to the target program by disguising as a managed ‘device’ to the target user. Successful exploitation could result in execution of arbitrary code in the security context of the logged on user.

SonicWALL UTM team has researched on this vulnerability and released the following IPS signature:

  • 3019 IntelliCom NetBiter HICP Hostname BO Attempt

This vulnerability is disclosed by the vendor’s advisory

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.