Advantech WebAccess 7.2 Stack-Based Buffer Overflow Vulnerability

🗓️ 20 Nov 2014 00:00:00Reported by Core SecurityType

zdt🔗 0day.today👁 52 Views

Advantech WebAccess 7.2 Stack-Based Buffer Overflow Vulnerability - Code execution ris

Reporter	Title	Published	Views	Family All 14
ATTACKERKB	CVE-2014-8388	21 Nov 201402:59	–	attackerkb
Core Security	Advantech WebAccess Stack-based Buffer Overflow	19 Nov 201400:00	–	coresecurity
Check Point Advisories	Advantech WebAccess SCADA webeye.ocx ip_address Parameter Buffer Overflow (CVE-2014-8388)	27 Nov 201400:00	–	checkpoint_advisories
Check Point Advisories	Advantech WebAccess SCADA webeye.ocx ip_address Parameter Buffer Overflow - ver 2 (CVE-2014-8388)	29 Dec 201400:00	–	checkpoint_advisories
CVE	CVE-2014-8388	21 Nov 201402:00	–	cve
Cvelist	CVE-2014-8388	21 Nov 201402:00	–	cvelist
EUVD	EUVD-2014-8225	7 Oct 202500:30	–	euvd
ICS	Advantech WebAccess Stack-based Buffer Overflow	23 Aug 201406:00	–	ics
NVD	CVE-2014-8388	21 Nov 201402:59	–	nvd
Prion	Stack overflow	21 Nov 201402:59	–	prion

Advantech WebAccess Stack-based Buffer Overflow


1. *Advisory Information*

Title: Advantech WebAccess Stack-based Buffer Overflow
Advisory ID: CORE-2014-0010
Advisory URL:
http://www.coresecurity.com/advisories/advantech-webAccess-stack-based-buffer-overflow
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Stack-based Buffer Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8388


3. *Vulnerability Description*

    Advantech WebAccess [1] is a browser-based software package for
human-machine interfaces HMI, and supervisory control and data
acquisition SCADA.   

    Advantech WebAccess is vulnerable to a Stack-based buffer overflow
attack, which can be exploited by remote attackers to execute arbitrary
code, by providing a malicious html file with specific parameters for an
ActiveX component.
    

4. *Vulnerable packages*

    . WebAccess 7.2
    . Other versions are probably affected too, but they were not checked.


5. *Vendor Information, Solutions and Workarounds*

    Given that this is a client-side vulnerability, affected users
should avoid opening untrusted '.html' files. Core Security also
recommends those affected use third party software such as Sentinel [3]
or EMET [2] that could help to prevent the exploitation of affected
systems to some extent.
      
    Additionally the vendor released WebAccess v8 [4] where it has
deleted the vulnerable file 'webeye.ocx' but if version upgrade is being
performed, the vulnerable ocx file is not deleted at all, therefore we
do not consider this a correct fix.
      

6. *Credits*

    This vulnerability was discovered and researched by Ricardo Narvaja
from Core Security Consulting Services. The publication of this advisory
was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.


7. *Technical Description / Proof of Concept Code*

    This vulnerability is caused by a stack buffer overflow when parsing
the ip_address parameter. A malicious third party could trigger
execution of arbitrary code within the context of the application, or
otherwise crash the whole application. This is caused because the
application copies to the stack the string without checking its length.
    

/-----
 
document.vdoactx.Connect(ip_address, port_no);

-----/


/-----
 
0001C2AA    8B11            MOV EDX,DWORD PTR DS:[ECX]
0001C2AC    8A45 08         MOV AL,BYTE PTR SS:[EBP+8]
0001C2AF    8802            MOV BYTE PTR DS:[EDX],AL
0001C2B1    FF01            INC DWORD PTR DS:[ECX]
0001C2B3    0FB6C0          MOVZX EAX,AL
0001C2B6    EB 0B           JMP SHORT 0001C2C3

-----/

#  0day.today [2018-02-02]  #

20 Nov 2014 00:00Current

7.5High risk

Vulners AI Score7.5

EPSS0.00246