BroadWin WebAccess SCADA Client ActiveX Format String

2011-12-12T00:00:00
ID SAINT:498EBB7B39DBBA5BF9E7DD9B7DB9492F
Type saint
Reporter SAINT Corporation
Modified 2011-12-12T00:00:00

Description

Added: 12/12/2011
OSVDB: 74897

Background

BroadWin WebAccess is a web-based SCADA reporting and control solution.

Problem

BroadWin WebAccess installs an ActiveX Control in the user's browser. The OcxSpool() function of this control accepts a parameter that is evaluated using a format string. A format string vulnerability exists that allows a malicious website to pass a specially formatted value to this function. This may result in memory corruption and can allow the attacker to control execution on the user's system.

Resolution

The vulnerable ActiveX control may be disabled through Internet Explorer by following these Microsoft instructions. The CLSID for the vulnerable control is 5c2a52bd-2250-4f6b-a4d2-d1d00fcd748c.

References

<http://broadwin.com/Client.htm>
<http://secunia.com/advisories/45820/>

Limitations

This exploit has been tested against Broadwin Technology WebAccess Client 7.0 on Windows XP SP3 English (DEP OptIn).

Platforms

Windows