GE Proficy Historian KeyHelp ActiveX LaunchTriPane Vulnerability

Added: 10/29/2012
CVE: CVE-2012-2516
BID: 54215
OSVDB: 83311

Background

GE Proficy Historian collects, organizes, archives and distributes tremendous volumes of real-time production information with a goal of enabling better and faster decisions and increased productivity.

Problem

GE Proficy Historian 4.5 and earlier are vulnerable to remote code execution as a result of a flaw in the **KeyHelp.ocx** ActiveX control. The control contains a **LaunchTriPane** function that allows launching of the HTML Help executable (**hh.exe**) with customized command line parameters. By using the **-decompile** switch, an attacker can specify the folder to decompile to and a Universal Naming Convention (UNC) path to a specially crafted Compiled Microsoft Help (**.chm**) file. The attacker can exploit this vulnerability to execute remote code under the context of the GE Proficy Historian process.

Resolution

Remove the vulnerable ActieX control as described in GE Intelligent Platforms Security Advisory GEIP12-04.

References

<http://www.zerodayinitiative.com/advisories/ZDI-12-169/&gt;

Limitations

This exploit was tested against General Electric Proficy Historian 4.0.0.176 on Microsoft Windows XP SP3 English (DEP OptIn).

The user must open the HTML page on the target using Internet Explorer 8.

The executable smbclient must be available on the exploit server.

A valid SMB user with permission to write to the specified SMB share is required. The smb password is not allowed to contain single quotes (').

Platforms

Windows