Advantech WebAccess version 7.2 is vulnerable to a stack-based buffer overflow attack, which can be exploited by remote attackers to execute arbitrary code, by providing a malicious html file with specific parameters for an ActiveX component.
Advantech WebAccess Stack-based Buffer Overflow
1. *Advisory Information*
Title: Advantech WebAccess Stack-based Buffer Overflow
Advisory ID: CORE-2014-0010
Advisory URL:
http://www.coresecurity.com/advisories/advantech-webAccess-stack-based-buffer-overflow
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8388
3. *Vulnerability Description*
Advantech WebAccess [1] is a browser-based software package for
human-machine interfaces HMI, and supervisory control and data
acquisition SCADA.
Advantech WebAccess is vulnerable to a Stack-based buffer overflow
attack, which can be exploited by remote attackers to execute arbitrary
code, by providing a malicious html file with specific parameters for an
ActiveX component.
4. *Vulnerable packages*
. WebAccess 7.2
. Other versions are probably affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
Given that this is a client-side vulnerability, affected users
should avoid opening untrusted '.html' files. Core Security also
recommends those affected use third party software such as Sentinel [3]
or EMET [2] that could help to prevent the exploitation of affected
systems to some extent.
Additionally the vendor released WebAccess v8 [4] where it has
deleted the vulnerable file 'webeye.ocx' but if version upgrade is being
performed, the vulnerable ocx file is not deleted at all, therefore we
do not consider this a correct fix.
6. *Credits*
This vulnerability was discovered and researched by Ricardo Narvaja
from Core Security Consulting Services. The publication of this advisory
was coordinated by JoaquΓn RodrΓguez Varela from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
This vulnerability is caused by a stack buffer overflow when parsing
the ip_address parameter. A malicious third party could trigger
execution of arbitrary code within the context of the application, or
otherwise crash the whole application. This is caused because the
application copies to the stack the string without checking its length.
/-----
document.vdoactx.Connect(ip_address, port_no);
-----/
/-----
0001C2AA 8B11 MOV EDX,DWORD PTR DS:[ECX]
0001C2AC 8A45 08 MOV AL,BYTE PTR SS:[EBP+8]
0001C2AF 8802 MOV BYTE PTR DS:[EDX],AL
0001C2B1 FF01 INC DWORD PTR DS:[ECX]
0001C2B3 0FB6C0 MOVZX EAX,AL
0001C2B6 EB 0B JMP SHORT 0001C2C3
-----/
# 0day.today [2018-02-02] #