Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Advantech AdamView 4.3 Buffer Overflow Vulnerability

🗓️ 20 Nov 2014 00:00:00Reported by Core SecurityType 
zdt
 zdt🔗 0day.today👁 42 Views

Advantech AdamView 4.3 Buffer Overflow Vulnerability. Buffer overflow in Advantech AdamView V4.3 allows execution of arbitrary code via '.gni' files

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Advantech AdamView 4.30.003 - (.gni) SEH Buffer Overflow Exploit
10 Dec 201400:00
zdt
ATTACKERKB		CVE-2014-8386
20 Jan 201515:59
attackerkb
ATTACKERKB		Advantech Adamview Buffer Overflow
20 Jan 201500:00
attackerkb
Core Security		Advantech AdamView Buffer Overflow
19 Nov 201400:00
coresecurity
Check Point Advisories		Advantech ADAMView Display Properties Parameter Remote Code Execution (CVE-2014-8386)
29 Dec 201400:00
checkpoint_advisories
Check Point Advisories		Advantech ADAMView Conditional Bitmap Remote Code Execution (CVE-2014-8386)
14 Jan 201500:00
checkpoint_advisories
CVE		CVE-2014-8386
20 Jan 201515:00
cve
Cvelist		CVE-2014-8386
20 Jan 201515:00
cvelist
Exploit DB		Advantech AdamView 4.30.003 - '.gni' Local Buffer Overflow (SEH)
9 Dec 201400:00
exploitdb
exploitpack		Advantech AdamView 4.30.003 - .gni Local Buffer Overflow (SEH)
9 Dec 201400:00
exploitpack
Rows per page
Advantech AdamView Buffer Overflow


1. *Advisory Information*

Title: Advantech AdamView Buffer Overflow
Advisory ID: CORE-2014-0008
Advisory URL:
http://www.coresecurity.com/advisories/advantech-adamView-buffer-overflow
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: User release


2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8386


3. *Vulnerability Description*

    Advantech AdamView [1] is a HMI Software for Data Acquisition
software package for human-machine interfaces HMI, and supervisory
control and data acquisition SCADA.

    Advantech AdamView has to two different fields vulnerable to buffer
overflow attacks, which can be exploited by attackers in order to
execute arbitrary code by running files with the '.gni' extension that
is assosiated with the AdamView software.

  
4. *Vulnerable packages*

   . Advantech AdamView V4.3
   . Other versions are probably affected too, but they were not checked.

5. *Vendor Information, Solutions and Workarounds*

    The vendor informed us that the product is no longer supported and
therefore no fix or update is going to be released.
       
    Given that this is a client-side vulnerability, affected users
should avoid opening untrusted '.gni' files. Core Security also
recommends those affected use third party software such as Sentinel [3]
or EMET [2] that could help to prevent the exploitation of affected
systems to some extent.

   
6. *Credits*

    This vulnerability was discovered and researched by Daniel Kazimirow
and Fernando Paez from Core Security Exploit Writers Team. The
publication of this advisory was coordinated by Joaquín Rodríguez Varela
from Core Advisories Team.

 

7. *Technical Description / Proof of Concept Code*

    This vulnerability is caused by a stack buffer overflow when parsing
the display properties parameter. A malicious third party could trigger
execution of arbitrary code within the context of the application, or
otherwise crash the whole application.
       
    Below are shown the vulnerable fields, the debug information, and
the stack state after being overwritten.

   
/-----
 
VULNERABLE FIELDS:

[+] display properties (BUG 1)
00475BA0  |.  53            PUSH EBX                                 ; /<%s>
00475BA1  |.  8D4C24 18     LEA ECX,DWORD PTR SS:[ESP+18]            ; |
00475BA5  |.  68 F09C4B00   PUSH ADAMView.004B9CF0                   ;
|Format = "Display Designer: %s"
00475BAA  |.  51            PUSH ECX                                 ; |s
00475BAB  |.  8BF0          MOV ESI,EAX                              ; |
00475BAD  |.  FF15 84FF4900 CALL DWORD PTR DS:[<&USER32.wsprintfA>]  ;
\wsprintfA

DEBUG:

EAX 00000000
ECX 00000001
EDX 00000000
EBX 00000003
ESP 0012F924
EBP 00000000
ESI 0012F9B4
EDI 00F39DC8
EIP CCCCCCCC <------------------------------------
C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

STACK:

0012F958   CCCCCCCC  ÌÌÌÌ
0012F95C   CCCCCCCC  ÌÌÌÌ
0012F960   CCCCCCCC  ÌÌÌÌ
0012F964   CCCCCCCC  ÌÌÌÌ
0012F968   CCCCCCCC  ÌÌÌÌ
0012F96C   CCCCCCCC  ÌÌÌÌ
0012F970   CCCCCCCC  ÌÌÌÌ
0012F974   CCCCCCCC  ÌÌÌÌ
0012F978   CCCCCCCC  ÌÌÌÌ
0012F97C   CCCCCCCC  ÌÌÌÌ  Pointer to next SEH record
0012F980   0043304A  J0C.  SE handler   <-------------- SEH CONTROLLED
BY US (PPR)
0012F984   FFFFFFFF  ÿÿÿÿ
0012F988   00485103  QH.  RETURN to ADAMView.00485103

-----/

    This vulnerability is caused by a stack buffer overflow when parsing
the conditional bitmap parameter. A malicious third party could trigger
execution of arbitrary code within the context of the application, or
otherwise crash the whole application.
       
    Below are shown the vulnerable fields, the debug information, and
the stack state after being overwritten.

   
/-----
 
VULNERABLE FIELDS:

[+] conditional bitmap > bitmap file map (is a path) (BUG 2)

00406E70  |.  55            |PUSH EBP                                ;
/StringToAdd
00406E71  |.  51            |PUSH ECX                                ;
|ConcatString
00406E72  |.  FF15 A8F34900 |CALL DWORD PTR DS:[<&KERNEL32.lstrcatA>>;
\lstrcatA


DEBUG:

EAX 00000000
ECX CCCCCCCC   <--------------------- EAX
EDX 73EA2608 MFC42.73EA2608
EBX 00F3C92E ASCII "BMP1"
ESP 0012F884
EBP 0000099C
ESI 0012F9B4
EDI 00F3C818
EIP CCCCCCCC   <---------------------
C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_PATH_NOT_FOUND (00000003)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

STACK:

0012F884   CCCCCCCC
0012F888   CCCCCCCC
0012F88C   CCCCCCCC
0012F890   CCCCCCCC
0012F894   CCCCCCCC
0012F898   CCCCCCCC
0012F89C   CCCCCCCC
0012F8A0   7ACCCCCC
0012F8A4   CC004342
0012F8A8   CCCCCCCC
0012F8AC   CCCCCCCC
0012F8B0   CCCCCCCC
0012F8B4   CCCCCCCC
0012F8B8   CCCCCCCC
0012F8BC   CCCCCCCC
0012F8C0   CCCCCCCC
0012F8C4   CCCCCCCC

-----/

#  0day.today [2018-03-13]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Nov 2014 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.27881
advantech adamviewbuffer overflowcode executiondata acquisition softwaresupervisory controlcve-2014-8386display propertiesexploitsentinelemet
42