CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
98.4%
**Title:**Advantech WebAccess Vulnerabilities
**Advisory ID:**CORE-2014-0005
**Advisory URL:**http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities
**Date published:**2014-09-02
**Date of last update:**2014-09-01
**Vendors contacted:**Advantech
**Release mode:**User release
**Class:**Buffer overflow [CWE-119], Buffer overflow [CWE-119], Buffer overflow [CWE-119], Buffer overflow [CWE-119], Buffer overflow [CWE-119], Buffer overflow [CWE-119], Buffer overflow [CWE-119], Buffer overflow [CWE-119]
**Impact:**Code execution
**Remotely Exploitable:**No
**Locally Exploitable:**Yes
CVE Name:CVE-2014-0985, CVE-2014-0986, CVE-2014-0987, CVE-2014-0988, CVE-2014-0989, CVE-2014-0990, CVE-2014-0991, CVE-2014-0992
Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA.
Advantech WebAccess is vulnerable to a buffer overflow attack, which can be exploited by remote attackers to execute arbitrary code, by providing a malicious html file with specific parameters for an ActiveX component.
Advantech has addressed the vulnerability in WebAccess by issuing an update.
Given that this is a client-side vulnerability, affected users should avoid opening untrusted .html
files. Core Security also recommends those affected use third party software such as Sentinel [4] or EMET [3] that could help to prevent the exploitation of affected systems to some extent.
This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writers Team.
Core Security Advisories Team would also like to thank ICS-CERT Coordination Center for their assistance during the vulnerability reporting process.
[CVE-2014-0985] This vulnerability is caused by a stack buffer overflow when parsing NodeName parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0764.
[CVE-2014-0986] This vulnerability is caused by a stack buffer overflow when parsing GotoCmd parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0765.
[CVE-2014-0987] This vulnerability is caused by a stack buffer overflow when parsing NodeName2 parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0766.
[CVE-2014-0988] This vulnerability is caused by a stack buffer overflow when parsing AccessCode parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0767.
[CVE-2014-0989] This vulnerability is caused by a stack buffer overflow when parsing AccessCode2 parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0768.
[CVE-2014-0990] This vulnerability is caused by a stack buffer overflow when parsing UserName parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0770.
[CVE-2014-0991] This vulnerability is caused by a stack buffer overflow when parsing projectname parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application.
[CVE-2014-0992] This vulnerability is caused by a stack buffer overflow when parsing password parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application.
Below is shown the result of opening a malicious html file with a long NodeName parameter, an attacker can overflow the stack buffer mentioned above and overwrite the SEH (Structured Exception Handler), enabling arbitrary code execution on the machine.
EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..." ECX 0162B720 EDX 01630000 xpsp2res.01630000 EBX 0162B720 ESP 0162B454 EBP 0162B460 ESI 0162B4D8 EDI 03A31E98 EIP 064EA6D4 webvact.064EA6D4
SEH chain of thread 000016CC Address SE handler 0162DB40 42424242
[1] <http://webaccess.advantech.com/>.
[2] <http://www.zerodayinitiative.com/advisories/published/>.
[3] <http://support.microsoft.com/kb/2458544>.
[4] <https://github.com/CoreSecurity/sentinel>.
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security’s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
The contents of this advisory are copyright © 2014 Core Security and © 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security advisories team.