Vulners
Lucene search
PcVue 10.0 - Multiple Vulnerabilities
#######################################################################
Luigi Auriemma
Application: PcVue
http://www.arcinfo.com/index.php?option=com_content&id=2&Itemid=151
Versions: PcVue <= 10.0
SVUIGrd.ocx <= 1.5.1.0
aipgctl.ocx <= 1.07.3702
Platforms: Windows
Bugs: A] code execution in SVUIGrd.ocx Save/LoadObject
B] write4 in SVUIGrd.ocx GetExtendedColor
C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject
D] array overflow in aipgctl.ocx DeletePage
Exploitation: remote
Date: 27 Sep 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"PcVue is a new generation of SCADA software. It is characterised by
modern ergonomics and by tools based on object technology to reduce and
optimise applications development."
#######################################################################
=======
2) Bugs
=======
------------------------------------------------
A] code execution in SVUIGrd.ocx Save/LoadObject
------------------------------------------------
The aStream number of SaveObject and LoadObject methods available in
SVUIGrd.ocx (2BBD45A5-28AE-11D1-ACAC-0800170967D9) is used directly as
function pointer:
02695b9d 8b00 mov eax,dword ptr [eax] ; controlled
02695b9f ff5004 call dword ptr [eax+4] ; execution
-----------------------------------------
B] write4 in SVUIGrd.ocx GetExtendedColor
-----------------------------------------
Through the GetExtendedColor method of SVUIGrd.ocx it's possible to
write a dword in an arbitrary memory location:
02198e36 8902 mov dword ptr [edx],eax ; controlled
---------------------------------------------------------------------
C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject
---------------------------------------------------------------------
The SaveObject allow to specify the name of the file to save while
LoadObject the one to load.
I have not performed additional research so for the moment the only
thing I have seen is the possibility of corrupting the files in the
system via directory traversal attacks.
I suspect that it's probable the possibility of writing custom content
but it has not been proved or verified.
-------------------------------------------
D] array overflow in aipgctl.ocx DeletePage
-------------------------------------------
Array overflow in the DeletePage method of the ActiveX component
aipgctl.ocx (083B40D3-CCBA-11D2-AFE0-00C04F7993D6):
10013852 8b0cb8 mov ecx,dword ptr [eax+edi*4]
10013855 85c9 test ecx,ecx
10013857 7407 je aipgctl+0x13860 (10013860)
10013859 8b11 mov edx,dword ptr [ecx]
1001385b 6a01 push 1
1001385d ff5204 call dword ptr [edx+4] ; execution
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/pcvue_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17896.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Sep 2011 00:00Current
7.4High risk
Vulners AI Score7.4