Lucene search
Core Security1337DAY-ID-22906HistoryNov 20, 2014 - 12:00 a.m.
Advantech WebAccess 7.2 Stack-Based Buffer Overflow Vulnerability
2014-11-2000:00:00
Core Security
0day.today
36
EPSS
0.068
Percentile
93.9%
Advantech WebAccess version 7.2 is vulnerable to a stack-based buffer overflow attack, which can be exploited by remote attackers to execute arbitrary code, by providing a malicious html file with specific parameters for an ActiveX component.
Advantech WebAccess Stack-based Buffer Overflow
1. *Advisory Information*
Title: Advantech WebAccess Stack-based Buffer Overflow
Advisory ID: CORE-2014-0010
Advisory URL:
http://www.coresecurity.com/advisories/advantech-webAccess-stack-based-buffer-overflow
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8388
3. *Vulnerability Description*
Advantech WebAccess [1] is a browser-based software package for
human-machine interfaces HMI, and supervisory control and data
acquisition SCADA.
Advantech WebAccess is vulnerable to a Stack-based buffer overflow
attack, which can be exploited by remote attackers to execute arbitrary
code, by providing a malicious html file with specific parameters for an
ActiveX component.
4. *Vulnerable packages*
. WebAccess 7.2
. Other versions are probably affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
Given that this is a client-side vulnerability, affected users
should avoid opening untrusted '.html' files. Core Security also
recommends those affected use third party software such as Sentinel [3]
or EMET [2] that could help to prevent the exploitation of affected
systems to some extent.
Additionally the vendor released WebAccess v8 [4] where it has
deleted the vulnerable file 'webeye.ocx' but if version upgrade is being
performed, the vulnerable ocx file is not deleted at all, therefore we
do not consider this a correct fix.
6. *Credits*
This vulnerability was discovered and researched by Ricardo Narvaja
from Core Security Consulting Services. The publication of this advisory
was coordinated by JoaquΓn RodrΓguez Varela from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
This vulnerability is caused by a stack buffer overflow when parsing
the ip_address parameter. A malicious third party could trigger
execution of arbitrary code within the context of the application, or
otherwise crash the whole application. This is caused because the
application copies to the stack the string without checking its length.
/-----
document.vdoactx.Connect(ip_address, port_no);
-----/
/-----
0001C2AA 8B11 MOV EDX,DWORD PTR DS:[ECX]
0001C2AC 8A45 08 MOV AL,BYTE PTR SS:[EBP+8]
0001C2AF 8802 MOV BYTE PTR DS:[EDX],AL
0001C2B1 FF01 INC DWORD PTR DS:[ECX]
0001C2B3 0FB6C0 MOVZX EAX,AL
0001C2B6 EB 0B JMP SHORT 0001C2C3
-----/
# 0day.today [2018-02-02] #Related
checkpoint_advisories
checkpoint_advisories
cvelist
cvelist
CVE-2014-8388
2014-11-21 02:00:00
ics
ics
Advantech WebAccess Stack-based Buffer Overflow
2018-09-05 12:00:00
coresecurity
coresecurity
Advantech WebAccess Stack-based Buffer Overflow
2014-11-19 00:00:00
nvd
nvd
CVE-2014-8388
2014-11-21 02:59:07
securityvulns
securityvulns
[CORE-2014-0010] - Advantech WebAccess Stack-based Buffer Overflow
2014-12-01 00:00:00
Advantech WebAccess buffer overflow
2014-12-01 00:00:00
cve
cve
CVE-2014-8388
2014-11-21 02:59:07
nessus
nessus
WebGate Webeye ActiveX Control Stack Based Buffer Overflow Vulnerability
2015-03-12 00:00:00
prion
prion
Stack overflow
2014-11-21 02:59:00