BroadWin WebAccess is a web-based SCADA reporting and control solution.
BroadWin WebAccess installs an ActiveX Control in the user's browser. The OcxSpool() function of this control accepts a parameter that is evaluated using a format string. A format string vulnerability exists that allows a malicious website to pass a specially formatted value to this function. This may result in memory corruption and can allow the attacker to control execution on the user's system.
The vulnerable ActiveX control may be disabled through Internet Explorer by following these Microsoft instructions. The CLSID for the vulnerable control is 5c2a52bd-2250-4f6b-a4d2-d1d00fcd748c.
This exploit has been tested against Broadwin Technology WebAccess Client 7.0 on Windows XP SP3 English (DEP OptIn).