TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow Vulnerability

Title: TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow Vulnerability
Advisory ID: ZSL-2015-5276
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 15.11.2015
SG2 Client is a program that enables to create and edit applications. The program is providing two edit modes, LADDER and FBD to rapidly and directly input the required app. The Simulation Mode allows users to virtually run and test the program before it is loaded to the controller.
The vulnerability is caused due to a boundary error in the processing of a Genie FBD, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .GFB file. Successful exploitation could allow execution of arbitrary code on the affected machine.


(fb0.fd0): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll -
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
eax=4141413f ebx=00000004 ecx=41414141 edx=41414141 esi=0018f578 edi=00a642e8
eip=00440b57 esp=0018ef9c ebp=0000003f iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
00440b57 8995a0000000 mov dword ptr [ebp+0A0h],edx ss:002b:000000df=????????


TECO Electric and Machinery Co., Ltd. - http://www.teco-group.eu
Affected Version
3.51 and 3.40
Tested On
Microsoft Windows 7 Professional SP1 (EN) 64bit
Microsoft Windows 7 Ultimate SP1 (EN) 64bit
Vendor Status
[09.10.2015] Vulnerability discovered.
[15.10.2015] Contact with the vendor.
[14.11.2015] No response from the vendor.
[15.11.2015] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://www.exploit-db.com/exploits/38701/
[2] https://cxsecurity.com/issue/WLB-2015110111
[3] https://packetstormsecurity.com/files/134386
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/108084
[15.11.2015] - Initial release
[17.11.2015] - Added reference [1], [2] and [3]
[18.11.2015] - Added reference [4]
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk