← Advisories

Crouzet em4 soft 1.1.04 Integer Division By Zero

Low
Advisory ID
ZSL-2016-5309
Release Date
29 February 2016
Vendor
Crouzet Automatismes SAS - http://www.crouzet-automation.com
Affected Version
1.1.04 and 1.1.03.01
CVE
N/A
Tested On
Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Ultimate SP1 (EN)
Summary

em4 is more than just a nano-PLC. It is a leading edge device supported by best-in-class tools that enables you to create and implement the smartest automation applications.

Description

em4 soft suffers from a division by zero attack when handling Crouzet Logic Software Document '.pm4' files, resulting in denial of service vulnerability and possibly loss of data.

(187c.1534): Integer divide-by-zero - code c0000094 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for image013b0000 *** ERROR: Module load completed but symbols could not be loaded for image013b0000 eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18 eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 image013b0000+0x3a575: 013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000 0:000> u image013b0000+0x3a575: 013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] 013ea57b 8d4de0 lea ecx,[ebp-20h] 013ea57e c745fc00000000 mov dword ptr [ebp-4],0 013ea585 50 push eax 013ea586 6808505b01 push offset image013b0000+0x205008 (015b5008) 013ea58b 51 push ecx 013ea58c ff15b0575a01 call dword ptr [image013b0000+0x1f57b0 (015a57b0)] 013ea592 8b870c010000 mov eax,dword ptr [edi+10Ch]
Proof of Concept
crouzet_em4_dividezero.txtTXT
poc5309.pm4.zipZIP
Disclosure Timeline
25.01.2016Vulnerability discovered.
03.02.2016Vendor contacted.
28.02.2016No response from the vendor.
29.02.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://cxsecurity.com/issue/WLB-2016030013
[2]https://packetstormsecurity.com/files/136020
[3]https://www.exploit-db.com/exploits/39509/
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/111163
Changelog
29.02.2016Initial release
01.03.2016Added reference [1], [2] and [3]
03.03.2016Added reference [4]