Core Security, makers of the product Core Impact.
Nice folks.
I like the product.
Apparently they left the gate open and their brains ran away in the night. What am I talking about? Well, they posted a vulnerability in the software of SCADA vendor Wonderware.
From their posting:
A vulnerability was found in Wonderware SuiteLink Service (slssvc.exe) that could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario.
Fine. Good catch. I have been lucky enough to work with 10+ vendors so far on security vulnerabilities including one donkey outfit in ’07. But, the rest were all professional. I was patient as I waited for them to get their **** together.
Now, on the SCADA side of the line we have another world that would make the Mad Hatter quite perplexed. There are some EMS vendors that require you speak to them slowly as more than several sentences per minute and they might, regrettably, spontaneously combust. It would appear, based on their apparent time line that WW is potentially one such firm.
That, however, doesn’t merit this,
An attacker can trigger the memory allocation operation failure by specifying an abnormally large length field in a Registration packet. The following binary excerpt shows where the problem is:
And here they provide the binary analysis.
They left the tracks at this point. I have released several vulnerabilities to date and not once did I release the actual code for the specific problem. What would that accomplish? I gave them the opportunity to patch the problem. They were able to address the issue with their respective customers and I got the byline.
Again from their time line,
Core has learned over the course of 13 years working in this particular field that it is fundamental to provide precise and accurate technical information about problems.
But, releasing the actual binary analysis? Let go of my leg.
Not cool. So much for responsible disclosure.
Thx to CJ, M, Darko, Melanie and Bob for sending this one in!
(ed note: I do enjoy stirring it up. Looks like this one did the trick.)