IntelliCom NetBiter Hostname Buffer Overflow

December 22, 2009

Intellicom NetBiter webSCADA is an embedded Supervisory Control and Data Acquisition solution for various hardware devices, providing remote management through web browsers. NetBiter Config is a configuration utility shipped with NetBiter webSCADA. It is used to enumerate and configure compatible devices on the LAN.

NetBiter Config uses HICP protocol to communicate with the devices. The HICP protocol is a proprietary protocol used to control managed devices in a SCADA environment. The protocol uses UDP/3250 port and contain key=value pairs in plain text, separated by semicolons:

key = value ; key = value ; [...]

The following keys are known:

Configure: xx-xx-xx-xx-xx-xx; Protocol version = ; fb type = ; module version =  mac = xx-xx-xx-xx-xx-xx; hn = ; ip = XXX.XXX.XXX.XXX; sn = XXX.XXX.XXX.XXX; gw = XXX.XXX.XXX.XXX; dhcp = ; pswd = off; dns1 = XXX.XXX.XXX.XXX; dns2 = XXX.XXX.XXX.XXX; password = ; new password = ;

A stack buffer overflow vulnerability exists in Intellicom NetBiter Config utility. The vulnerability is due to missing bounds checking on the value of parameter in incoming HICP packets. The malicious data is copied using the insecure function 'strcpy' into a fixed stack buffer. The buffer is part of a larger structure that contains multiple MFC objects, and the structure is later used to call an MFC dialog display function. One of these MFC objects is located after the vulnerable buffer and contains a function pointer. When the vulnerable stack buffer is overflowed, this virtual function can be overwritten and used by an attacker to execute arbitrary code. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted UDP packet to the target program by disguising as a managed 'device' to the target user. Successful exploitation could result in execution of arbitrary code in the security context of the logged on user.

SonicWALL UTM team has researched on this vulnerability and released the following IPS signature:

  • 3019 IntelliCom NetBiter HICP Hostname BO Attempt

This vulnerability is disclosed by the vendor’s advisory