A heap overflow vulnerability exists in CmpWebServerHandlerV3.dll (file version 3.5.15.20) due to improper validation of user-supplied data sent to the CODESYS V3 web server URL endpoint /WebVisuV3.
The flaw is due to the fact that the MemGCGetSize function adds 0x5c bytes to the requested allocation size during memory allocation operation:
__wibu00:004BF8C0 MemGCGetSize proc near ; CODE XREF: SysMemAllocCode+39↓p
__wibu00:004BF8C0 ; SysMemAllocData+1B↓p
__wibu00:004BF8C0 ; SysMemReallocData+3C↓p
__wibu00:004BF8C0 ; DATA XREF: __wibu01:00813B28↓o
__wibu00:004BF8C0
__wibu00:004BF8C0 arg_size = dword ptr 8
__wibu00:004BF8C0
__wibu00:004BF8C0 push ebp
__wibu00:004BF8C1 mov ebp, esp
__wibu00:004BF8C3 mov eax, [ebp+arg_size]; attacker-controlled
__wibu00:004BF8C6 add eax, 5Ch ; '\' ; int32 overflow!
__wibu00:004BF8C6 ; i.e., size can be 0xffffffff
__wibu00:004BF8C9 pop ebp
__wibu00:004BF8CA retn
__wibu00:004BF8CA MemGCGetSize endp
The extra 0x5c bytes appears to be used for memory garbage collection purposes. The MemGCGetSize function is called within the SysMemAllocData function, which is used by many CODESYS components to allocate memory from the heap.
An unauthenticated, remote attacker can request a very large memory allocation size (i.e., 0xffffffff) via a WEB_CLIENT_OPENCONNECTION message sent to the CmpWebServerHandlerV3 component:
|foo|-1|true|
The CmpWebServerHandlerV3 component (when in state 0) attempts to allocate -1 (0xffffffff) bytes for the communication buffer. When the SysMemAllocData function is called, the memory allocation size gets overflowed and a small (0xffffffff + 0x5c = 0x5b) heap buffer is actually allocated.
The attacker then sends a WEB_CLIENT_RUN_SERVICE message to overflow the small communication buffer:
.text:100039F4 call HandleVisuService
.text:100039FA add esp, 14h
.text:100039FD mov [ebp+err], eax
.text:10003A00 cmp [ebp+err], 0
.text:10003A04 jnz short err_10003A54
.text:10003A06 mov ecx, [ebp+HdrSizePlus4] ; attacker-controlled
.text:10003A09 push ecx
.text:10003A0A mov edx, [ebp+pbLayer7] ; attacker-controlled
.text:10003A0D push edx
.text:10003A0E mov eax, [ebp+cbCommBuf2] ; ffffffff
.text:10003A11 push eax
.text:10003A12 mov ecx, [ebp+pbCommBuf2] ; very small buf => heap buf overflow!
.text:10003A15 push ecx
.text:10003A16 call CMUtlSafeMemCpy
The following windbg output shows 0x4014 bytes of attacker-controlled data is being copied to a 0x3-byte (0x5b - (0x0028c3d8 - 0x0028c380) = 3) user buffer on the heap:
CmpWebServerHandlerV3!ComponentEntry+0x1d66:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\CODESYS 3.5.15.20\GatewayPLC\CODESYSControlService.exe -
01b13a16 ff152c85b101 call dword ptr [CmpWebServerHandlerV3!ComponentEntry+0x687c (01b1852c)] ds:0023:01b1852c=00566110
0:013> dd esp L4
0460fddc 0028c3d8 ffffffff 023107ac 00004014
0:013> !heap -p -a 0028c3d8
address 0028c3d8 found in
_HEAP @ 260000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
0028c378 000d 0000 [00] 0028c380 0005b - (busy)
The attached PoC can be used to terminate a 32-bit CODESYSControlService.exe:
python codesys_v3_webserver_int32_overflow.py 8080
Note that when running the PoC, it's important that the CmpWebServerHandlerV3 component must be in 'state' 0. When CODESYSControlService.exe starts, CmpWebServerHandlerV3 is in state 0.
View All Solutions