Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27116
HistoryOct 02, 2011 - 12:00 a.m.

Vulnerabilities in PcVue 10 (SCADA)

2011-10-0200:00:00
vulners.com
31
JSON

#######################################################################

                         Luigi Auriemma

Application: PcVue
http://www.arcinfo.com/index.php?option=com_content&id=2&Itemid=151
Versions: PcVue <= 10.0
SVUIGrd.ocx <= 1.5.1.0
aipgctl.ocx <= 1.07.3702
Platforms: Windows
Bugs: A] code execution in SVUIGrd.ocx Save/LoadObject
B] write4 in SVUIGrd.ocx GetExtendedColor
C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject
D] array overflow in aipgctl.ocx DeletePage
Exploitation: remote
Date: 27 Sep 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

From vendor's homepage:
"PcVue is a new generation of SCADA software. It is characterised by
modern ergonomics and by tools based on object technology to reduce and
optimise applications development."

#######################################################################

=======
2) Bugs

A] code execution in SVUIGrd.ocx Save/LoadObject

The aStream number of SaveObject and LoadObject methods available in
SVUIGrd.ocx (2BBD45A5-28AE-11D1-ACAC-0800170967D9) is used directly as
function pointer:

02695b9d 8b00 mov eax,dword ptr [eax] ; controlled
02695b9f ff5004 call dword ptr [eax+4] ; execution

B] write4 in SVUIGrd.ocx GetExtendedColor

Through the GetExtendedColor method of SVUIGrd.ocx it's possible to
write a dword in an arbitrary memory location:

02198e36 8902 mov dword ptr [edx],eax ; controlled

C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject

The SaveObject allow to specify the name of the file to save while
LoadObject the one to load.
I have not performed additional research so for the moment the only
thing I have seen is the possibility of corrupting the files in the
system via directory traversal attacks.
I suspect that it's probable the possibility of writing custom content
but it has not been proved or verified.

D] array overflow in aipgctl.ocx DeletePage

Array overflow in the DeletePage method of the ActiveX component
aipgctl.ocx (083B40D3-CCBA-11D2-AFE0-00C04F7993D6):

10013852 8b0cb8 mov ecx,dword ptr [eax+edi*4]
10013855 85c9 test ecx,ecx
10013857 7407 je aipgctl+0x13860 (10013860)
10013859 8b11 mov edx,dword ptr [ecx]
1001385b 6a01 push 1
1001385d ff5204 call dword ptr [edx+4] ; execution

#######################################################################

===========
3) The Code

http://aluigi.org/poc/pcvue_1.zip

#######################################################################

======
4) Fix

No fix.

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON