TeeChart Professional Integer Overflow

Aug 11, 2011

 

    Affected software: TeeChart Professional
    Affected vendor: Steema
    Issue type: Integer Overflow/Trusted Deference
    Release date: 11 August 2011
    Discovered by: Steven Seeley
    Issue status: No patch available

Summary

stratsec has identified an integer overflow vulnerability in the TeeChart Professional ActiveX component that is later trusted, dereferenced and called upon. The vulnerability can lead to remote code execution if a user is social engineered to click on a malicious link or open a malicious HTML file.
 
Description

The TeeChart Pro ActiveX charting component library offers hundreds of Graph styles in 2D and 3D, 33 mathematical and statistical Functions for you to choose from together with an unlimited number of axes and 14 toolbox components. The Charting Control can be efficiently used to create multi task dashboards.
Upon installation, the control is marked in the windows registry as ‘safe for scripting’ and ‘safe for initialisation’. Additionally, the kill bit is not set. This allows the control to be scripted remotely.
 
Impact

A remote attacker could social engineer a user into double clicking a malicious html file or clicking a malicious link that would likely result in remote code execution running with privileges as the currently logged in user.
 
Affected products

Multiple versions (including the latest version) are affected by this vulnerability that date back to as far as 2001:

    TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4)
    TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD)
    TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E)
    TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196)
    TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258)

Additionally the software is deployed under a number of SCADA based systems including but not limited to the following packages:

    Unitronics OPC server v1.3.8
    BACnet Operator Workstation Version 1.0.76

Technical Details

The vulnerability is triggered via the AddSeries() method which is part of the program ID ‘TeeChart.TChart.9’ contained within the ‘TeeChart2010.ocx’ ActiveX control. The integer supplied is wrapped due to a dereferenced arithmetic operation that is later trusted and executed.

02356CEB MOV EDX,DWORD PTR SS:[EBP+C] ; attacker controlled integer value

02356CEE MOV EAX,DWORD PTR DS:[EAX+EDX*4] ; execute a dereferenced calculation

02356CF1 MOV ECX,DWORD PTR DS:[EBX+0xC0]

02356CF7 MOV DL,1

02356CF9 CALL DWORD PTR DS:[EAX+2C] ; execute attacker controlled value
 
Proof of concept

A proof of concept exploit has been developed. The exploit code is designed to target the vulnerability under different environments including Windows 7.
 
Solution

Enable the kill bit in the windows registry for this ActiveX control so that the control cannot be executed. A detailed guide can be viewed at Microsoft’s support website:

    http://support.microsoft.com/kb/240797

Response timeline

    26/07/2011 - Initial vendor notification.
    28/07/2011 - No response from the vendor. Vendor reminded of the disclosure policy.
    01/08/2011 - No response from the vendor. Vendor reminded of the vulnerability.
    02/08/2011 - No response from the vendor. Vendor reminded of the vulnerability.
    09/08/2011 - No response from the vendor. Vendor warned of imminent disclosure date.
    11/08/2011 - No response from the vendor. This advisory published.

References

None provided at this time.