Lucene search

K
saintSAINT CorporationSAINT:498EBB7B39DBBA5BF9E7DD9B7DB9492F
HistoryDec 12, 2011 - 12:00 a.m.

BroadWin WebAccess SCADA Client ActiveX Format String

2011-12-1200:00:00
SAINT Corporation
download.saintcorporation.com
26
broadwin webaccess
scada
activex
format string
vulnerability
memory corruption
execution control
internet explorer
clsid
broadwin technology
windows xp
exploit

Added: 12/12/2011
OSVDB: 74897

Background

BroadWin WebAccess is a web-based SCADA reporting and control solution.

Problem

BroadWin WebAccess installs an ActiveX Control in the user’s browser. The OcxSpool() function of this control accepts a parameter that is evaluated using a format string. A format string vulnerability exists that allows a malicious website to pass a specially formatted value to this function. This may result in memory corruption and can allow the attacker to control execution on the user’s system.

Resolution

The vulnerable ActiveX control may be disabled through Internet Explorer by following these Microsoft instructions. The CLSID for the vulnerable control is 5c2a52bd-2250-4f6b-a4d2-d1d00fcd748c.

References

<http://broadwin.com/Client.htm&gt;
<http://secunia.com/advisories/45820/&gt;

Limitations

This exploit has been tested against Broadwin Technology WebAccess Client 7.0 on Windows XP SP3 English (DEP OptIn).

Platforms

Windows