Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31431
HistoryDec 01, 2014 - 12:00 a.m.

[CORE-2014-0010] - Advantech WebAccess Stack-based Buffer Overflow

2014-12-0100:00:00
vulners.com
10
JSON

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Advantech WebAccess Stack-based Buffer Overflow

  1. Advisory Information

Title: Advantech WebAccess Stack-based Buffer Overflow
Advisory ID: CORE-2014-0010
Advisory URL:
http://www.coresecurity.com/advisories/advantech-webAccess-stack-based-buffer-overflow
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: Coordinated release

  1. Vulnerability Information

Class: Stack-based Buffer Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8388

  1. Vulnerability Description

    Advantech WebAccess [1] is a browser-based software package for
    human-machine interfaces HMI, and supervisory control and data
    acquisition SCADA.

    Advantech WebAccess is vulnerable to a Stack-based buffer overflow
    attack, which can be exploited by remote attackers to execute arbitrary
    code, by providing a malicious html file with specific parameters for an
    ActiveX component.

  2. Vulnerable packages

    . WebAccess 7.2
    . Other versions are probably affected too, but they were not checked.

  3. Vendor Information, Solutions and Workarounds

    Given that this is a client-side vulnerability, affected users
    should avoid opening untrusted '.html' files. Core Security also
    recommends those affected use third party software such as Sentinel [3]
    or EMET [2] that could help to prevent the exploitation of affected
    systems to some extent.

    Additionally the vendor released WebAccess v8 [4] where it has
    deleted the vulnerable file 'webeye.ocx' but if version upgrade is being
    performed, the vulnerable ocx file is not deleted at all, therefore we
    do not consider this a correct fix.

  4. Credits

    This vulnerability was discovered and researched by Ricardo Narvaja
    from Core Security Consulting Services. The publication of this advisory
    was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.

  5. Technical Description / Proof of Concept Code

    This vulnerability is caused by a stack buffer overflow when parsing
    the ip_address parameter. A malicious third party could trigger
    execution of arbitrary code within the context of the application, or
    otherwise crash the whole application. This is caused because the
    application copies to the stack the string without checking its length.

/-----

document.vdoactx.Connect(ip_address, port_no);

-----/

/-----

0001C2AA 8B11 MOV EDX,DWORD PTR DS:[ECX]
0001C2AC 8A45 08 MOV AL,BYTE PTR SS:[EBP+8]
0001C2AF 8802 MOV BYTE PTR DS:[EDX],AL
0001C2B1 FF01 INC DWORD PTR DS:[ECX]
0001C2B3 0FB6C0 MOVZX EAX,AL
0001C2B6 EB 0B JMP SHORT 0001C2C3

-----/

  1. Report Timeline
    . 2014-10-01:

    Initial notification sent to ICS-CERT informing of the vulnerability
    and requesting the vendor's contact information.

. 2014-10-01:

ICS-CERT informs that they will ask the vendor if they want to

coordinate directly with us or if they prefer to have ICS-CERT mediate.
They request the vulnerability report.

. 2014-10-01:

ICS-CERT informs that the vendor answered that they would like the

ICS-CERT to mediate the coordination of the advisory. They requested
again the vulnerability report.

. 2014-10-01:

We send the vulnerability detail, including technical description

and a PoC.

. 2014-10-09:

We request a status update on the reported vulnerability.

. 2014-10-20:

ICS-CERT informs that the vendor has patched WebAccess in version

8.0 and published it. This was done without informing us in order to
make a coordianted release. The ICS-CERT asks if we can test the fix.

. 2014-10-21:

We clearly state how we disagree with the uncoordinated published

fix. We began testing the fix.

. 2014-10-21:

We inform them that the "webeye.ocx" file (version 1.0.1.35) is

still present in the new version.

. 2014-10-27:

ICS-CERT informs us that the vendor has removed the vulnerable OCX

file from the new version but it doesn't remove it from previous
installations, making the new version still vulnerable.

. 2014-11-13:

We inform them that we will publish this advisory as user release on

Wednesday 19th of November.

. 2014-11-19:

Advisory CORE-2014-0010 published.
  1. References

[1] http://webaccess.advantech.com/.
[2] http://support.microsoft.com/kb/2458544.
[3] https://github.com/CoreSecurity/sentinel.
[4] http://webaccess.advantech.com/webaccess_download.php?lang=eng.

  1. About CoreLabs

    CoreLabs, the research center of Core Security, is charged with
    anticipating the future needs and requirements for information security
    technologies. We conduct our research in several important areas of
    computer security
    including system vulnerabilities, cyber attack planning and simulation,
    source code auditing, and cryptography. Our results include problem
    formalization, identification of vulnerabilities, novel solutions and
    prototypes for new technologies. CoreLabs regularly publishes security
    advisories, technical papers, project information and shared software
    tools for public use at: http://corelabs.coresecurity.com.

  2. About Core Security

    Core Security enables organizations to get ahead of threats with
    security test and measurement solutions that continuously identify and
    demonstrate real-world exposures to their most critical assets. Our
    customers can gain real visibility into their security standing, real
    validation of their security controls, and real metrics to more
    effectively secure their organizations.

    Core Security's software solutions build on over a decade of trusted
    research and leading-edge threat expertise from the company's Security
    Consulting Services, CoreLabs and Engineering groups. Core Security can
    be reached at +1 (617) 399-6980 or on the Web at:
    http://www.coresecurity.com.

  3. Disclaimer

    The contents of this advisory are copyright (c) 2014 Core Security
    and (c) 2014 CoreLabs,
    and are licensed under a Creative Commons Attribution Non-Commercial
    Share-Alike 3.0 (United States) License:
    http://creativecommons.org/licenses/by-nc-sa/3.0/us/

  4. PGP/GPG Keys

    This advisory has been signed with the GPG key of Core Security
    advisories team, which is available for download at
    http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Related

zdt 1
cve 1
securityvulns 1
coresecurity 1
checkpoint_advisories 2
prion 1
nessus 1
ics 1
zdt
zdt
Advantech WebAccess 7.2 Stack-Based Buffer Overflow Vulnerability
2014-11-20 00:00:00
cve
cve
CVE-2014-8388
2014-11-21 02:59:00
securityvulns
securityvulns
Advantech WebAccess buffer overflow
2014-12-01 00:00:00
coresecurity
coresecurity
Advantech WebAccess Stack-based Buffer Overflow
2014-11-19 00:00:00
checkpoint_advisories
checkpoint_advisories
Advantech WebAccess SCADA webeye.ocx ip_address Parameter Buffer Overflow - ver 2 (CVE-2014-8388)
2014-12-29 00:00:00
Advantech WebAccess SCADA webeye.ocx ip_address Parameter Buffer Overflow (CVE-2014-8388)
2014-11-27 00:00:00
prion
prion
Stack overflow
2014-11-21 02:59:00
nessus
nessus
WebGate Webeye ActiveX Control Stack Based Buffer Overflow Vulnerability
2015-03-12 00:00:00
ics
ics
Advantech WebAccess Stack-based Buffer Overflow
2018-09-05 12:00:00
JSON
Related for SECURITYVULNS:DOC:31431
zdt1cve1securityvulns1coresecurity1checkpoint_advisories2prion1nessus1ics1