Siemens TIA Portal Denial of Service

An unauthenticated remote DoS vulnerability exists in CCAgent.exe shipped with Siemens TIA Portal 15.1 Update 3 when encryption is enabled.

Specifically, an integer overflow can be triggered if an attacker were to send a crafted datagram over UDP port 8910.

.text:0041266C           mov     eax, [ebp+pTeleBuf2]
.text:0041266F           movzx   ecx, [eax+CTeleBuffer2.HdrSize] ; seen: 20h, 64h
.text:00412673           mov     edx, [ebp+pTeleBuf2]
.text:00412676           add     ecx, [edx+CTeleBuffer2.BodySize] ; aka, compressed size (cs)
.text:00412679           cmp     [ebp+arg_MsgSize], ecx ; check if (HdrSize + BodySize) == MsgSize
.text:00412679                                         ; but (HdrSize + BodySize) can cause int32 overflow
.text:0041267C           jz      short ok

The code checks if the sum of the message header size and body size is equal to the size of the message received from the network. If it's not equal, it's considered an error and the message will not get processed. However, the attacker can specify the message header size and body size in the message. For example, the attacker can specify HdrSize = 0x74 and BodySize = 0xffffffff in a 0x73-byte message. The size check will pass and the malformed message will get processed further. Eventually, 0xffffffff bytes of body data will be copied to a heap buffer via memcpy_s() if no compression type is specified in the message:

.text:004124BF no_compression:                         ; CODE XREF: TeleBuf2_DecryptAndUncompress+9C↑j
.text:004124BF           mov     eax, [ebp+TeleBuf2]
.text:004124C2           mov     ecx, [eax+CTeleBuffer2.BodySize] ; aka, compressed size (cs)
.text:004124C5           push    ecx
.text:004124C6           mov     edx, [ebp+pBody]
.text:004124C9           push    edx
.text:004124CA           mov     eax, [ebp+TeleBuf2]
.text:004124CD           mov     ecx, [eax+CTeleBuffer2.UncompressedSize] ; in: max len;
.text:004124CD                                         ; out: decompressed len
.text:004124CD                                         ; seen: 0003e800
.text:004124D0           push    ecx                   ; size_t
.text:004124D1           mov     edx, [ebp+pUncompressed]
.text:004124D4           push    edx                   ; void *
.text:004124D5           call    memcpy_s

The memcpy_s function will raise an exception if the copy size (0xffffffff) exceeds the output buffer size. The exception does not appear to be handled thus the CCAgent.exe process gets terminated:

0:003> g
(dac.10cc): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=6d6c1480 esi=00000000 edi=0078b738
eip=74ec72b2 esp=011df680 ebp=011df6b0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ucrtbase!_invoke_watson+0x12:
74ec72b2 cd29            int     29h
0:002> kb
 # ChildEBP RetAddr  Args to Child              
00 011df680 74ec719e 00000000 00000000 00000000 ucrtbase!_invoke_watson+0x12
01 011df6b0 74ec726b 00000001 0045b860 0078b738 ucrtbase!_invalid_parameter+0x75
02 011df6c4 00411b56 00000000 00000001 00000001 ucrtbase!_invalid_parameter_noinfo+0xb
WARNING: Stack unwind information not available. Following frames may be wrong.
03 011df6e4 004124da 007c0d40 00001000 007b254c CCAgent+0x11b56
04 011df728 0044559d 007b24d8 00000073 011df7d4 CCAgent+0x124da
05 011dfc00 0045bfa7 007b24d8 00000073 651c1aac CCAgent+0x4559d
06 011dfcd8 0045b8d4 00001a61 00000001 00000001 CCAgent+0x5bfa7
07 011dfcf4 77cbd313 003000a6 00001a61 000003fc CCAgent+0x5b8d4
08 011dfd20 77c9e8da 0045b860 003000a6 00001a61 USER32!_InternalCallWinProc+0x2b
09 011dfe08 77c9e234 0045b860 00000000 00001a61 USER32!UserCallWinProcCheckWow+0x30a
0a 011dfe7c 77c9dfe0 011dfe98 011dff04 0042eb35 USER32!DispatchMessageWorker+0x234
0b 011dfe88 0042eb35 011dfe98 038c32b7 003000a6 USER32!DispatchMessageW+0x10
0c 011dff04 0043d948 00000000 00000000 00000000 CCAgent+0x2eb35
0d 011dff54 0042ee85 00000001 0077cc58 011dff80 CCAgent+0x3d948
0e 011dff64 74947ee1 00000001 0077cc58 74947eb0 CCAgent+0x2ee85
0f 011dff80 77ab62c4 0077cc48 77ab62a0 74704f8a sechost!ScSvcctrlThreadA+0x31
10 011dff94 77e91f69 0077cc48 74310134 00000000 KERNEL32!BaseThreadInitThunk+0x24
11 011dffdc 77e91f34 ffffffff 77eb3625 00000000 ntdll!__RtlUserThreadStart+0x2f
12 011dffec 00000000 74947eb0 0077cc48 00000000 ntdll!_RtlUserThreadStart+0x1b

Proof of Concept

Note: It has been observed that the CCAgent Windows service (CCAgent.exe) restarts (after some period of time) upon termination.