Microsys Promotic PmTrendViewer ActiveX Control SaveCfg Stack Buffer Overflow

2011-12-23T00:00:00
ID SAINT:D4B9B3272C68AAE890989F27D10A830C
Type saint
Reporter SAINT Corporation
Modified 2011-12-23T00:00:00

Description

Added: 12/23/2011
OSVDB: 76396

Background

Microsys Promotic is a SCADA object software tool for creating applications that monitor, control and display technological processes in various industrial areas. Promotic includes support for a web interface designed for Microsoft Windows.

Problem

Microsys Promotic's PmTrendViewer ActiveX control is vulnerable to remote code execution due to improper boundary checking in the **SaveCfg** method.

Resolution

Contact the vendor and upgrade or apply a patch when a fix becomes available. As a workaround, set the kill bit for **PmTrendViewer** ActiveX control associated with **CLSID {02000002-9DFA-4B37-ABE9-1929F4BCDEA2}** as described in Microsoft Knowledge Base Article 240797.

References

<http://aluigi.altervista.org/adv/promotic_1-adv.txt>
<http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-286-01.pdf>

Limitations

Exploit works on Microsys Promotic ActiveX Control 8.1.4.

The target user must open the exploit using Internet Explorer 7.

Platforms

Windows