Crouzet em4 soft 1.1.04 Integer Division By Zero Vendor: Crouzet Automatismes SAS Product web page: http://www.crouzet-automation.com Affected version: 1.1.04 and 1.1.03.01 Summary: em4 is more than just a nano-PLC. It is a leading edge device supported by best-in-class tools that enables you to create and implement the smartest automation applications. Desc: em4 soft suffers from a division by zero attack when handling Crouzet Logic Software Document '.pm4' files, resulting in denial of service vulnerability and possibly loss of data. --------------------------------------------------------------------- (187c.1534): Integer divide-by-zero - code c0000094 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for image013b0000 *** ERROR: Module load completed but symbols could not be loaded for image013b0000 eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18 eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 image013b0000+0x3a575: 013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000 0:000> u image013b0000+0x3a575: 013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] 013ea57b 8d4de0 lea ecx,[ebp-20h] 013ea57e c745fc00000000 mov dword ptr [ebp-4],0 013ea585 50 push eax 013ea586 6808505b01 push offset image013b0000+0x205008 (015b5008) 013ea58b 51 push ecx 013ea58c ff15b0575a01 call dword ptr [image013b0000+0x1f57b0 (015a57b0)] 013ea592 8b870c010000 mov eax,dword ptr [edi+10Ch] --------------------------------------------------------------------- Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5309 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5309.php 25.01.2016 -- PoC: http://zeroscience.mk/codes/poc5309.pm4.zip