Advantech Studio Multiple Buffer Overflow Vulnerabilities

Advantech Studio Multiple Buffer Overflow Vulnerabilities - Remote attackers can execute arbitrary code. Vulnerable version: Advantech Studio 6.1 SP6 Build 61.6.0. Buffer overflow in ISSymbol ActiveX control allows code execution via crafted web page

Reporter	Title	Published	Views	Family All 29
0day.today	InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Overflow	19 Dec 201200:00	–	zdt
ATTACKERKB	InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow	4 May 201100:00	–	attackerkb
Circl	CVE-2011-0340	20 Dec 201200:00	–	circl
Check Point Advisories	InduSoft Thin Client ISSymbol ActiveX Heap Buffer Overflow (CVE-2011-0340)	14 Oct 201200:00	–	checkpoint_advisories
CVE	CVE-2011-0340	4 May 201122:00	–	cve
Cvelist	CVE-2011-0340	4 May 201122:00	–	cvelist
Exploit DB	InduSoft Web Studio - 'ISSymbol.ocx InternationalSeparator()' Heap Overflow (Metasploit)	20 Dec 201200:00	–	exploitdb
ICS	Advantech Studio ISSymbol ActiveX Buffer Overflow	17 Feb 201207:00	–	ics
ICS	InduSoft ISSymbol ActiveX Control Buffer Overflow	9 Jun 201206:00	–	ics
Metasploit	InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow	18 Dec 201222:48	–	metasploit

Source	Link
secunia	www.secunia.com/secunia_research/2011-37/
vupen	www.vupen.com/english/advisories/2011/1116
secunia	www.secunia.com/advisories/42928

###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_advantech_studio_mult_bof_vuln.nasl 7006 2017-08-25 11:51:20Z teissa $
#
# Advantech Studio Multiple Buffer Overflow Vulnerabilities
#
# Authors:
# Madhuri D <[email protected]>
#
# Copyright:
# Copyright (c) 2011 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploitation will allow remote attackers to execute
arbitrary code.

Impact Level: System/Application.";

tag_affected = "Advantech Advantech Studio 6.1 SP6 Build 61.6.0";

tag_insight = "The flaw exists due to a buffer overflow error in the ISSymbol
ActiveX control (ISSymbol.ocx) when processing an overly long 'InternationalOrder',
'InternationalSeparator', 'bstrFileName' or 'LogFileName' property, which
could be exploited by attackers to execute arbitrary code by tricking a user
into visiting a specially crafted web page.";

tag_solution = "Upgrade to hotfix 7.0.01.04 or higher,
For updates refer to http://support.advantech.com.tw/support/DownloadSearchByProduct.aspx?keyword=Advantech+Studio";

tag_summary = "This host is installed with Advantech Studio and is prone multiple
  to buffer overflow vulnerability.";

if(description)
{
  script_id(902370);
  script_version("$Revision: 7006 $");
  script_tag(name:"last_modification", value:"$Date: 2017-08-25 13:51:20 +0200 (Fri, 25 Aug 2017) $");
  script_tag(name:"creation_date", value:"2011-05-26 10:47:46 +0200 (Thu, 26 May 2011)");
  script_cve_id("CVE-2011-0340");
  script_bugtraq_id(47596);
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_name("Advantech Studio Multiple Buffer Overflow Vulnerabilities");
  script_xref(name : "URL" , value : "http://secunia.com/advisories/42928");
  script_xref(name : "URL" , value : "http://secunia.com/secunia_research/2011-37/");
  script_xref(name : "URL" , value : "http://www.vupen.com/english/advisories/2011/1116");

  script_tag(name:"qod_type", value:"executable_version");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2011 SecPod");
  script_family("Buffer overflow");
  script_dependencies("secpod_reg_enum.nasl");
  script_mandatory_keys("SMB/WindowsVersion");
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  exit(0);
}


include("smb_nt.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

if(!get_kb_item("SMB/WindowsVersion")){
  exit(0);
}

key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";

if(!registry_key_exists(key:key)) {
    exit(0);
}

foreach item (registry_enum_keys(key:key))
{
  ## Check for InduSoft Thin Client DisplayName
  advName = registry_get_sz(key:key + item, item:"DisplayName");
  if("Advantech Studio" >< advName)
  {
    ## Get the installed location
    advPath = registry_get_sz(key:key + item, item:"InstallLocation");
    ocxPath = advPath + "\Redist\Wince 4.0\armv4t\ISSymbolCE.ocx";
    share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:ocxPath);
    file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:ocxPath);

    ocxVer = GetVer(file:file, share:share);
    if(!isnull(ocxVer))
    {
      if(version_is_equal(version:ocxVer, test_version:"301.1009.2904.0") ||
         version_is_equal(version:ocxVer, test_version:"61.6.0.0")){
        security_message(0);
      }
    }
  }
}

25 Aug 2017 00:00Current

0.8Low risk

Vulners AI Score0.8

EPSS0.44861