Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Advantech WebAccess Vulnerabilities


1. *Advisory Information*

    Title: Advantech WebAccess Vulnerabilities
    Advisory ID: CORE-2014-0005
    Advisory URL:
http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities
    Date published: 2014-09-02
    Date of last update: 2014-09-01
    Vendors contacted: Advantech
    Release mode: User release


2. *Vulnerability Information*

    Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119], Buffer
overflow [CWE-119], Buffer overflow [CWE-119], Buffer overflow
[CWE-119], Buffer overflow [CWE-119], Buffer overflow [CWE-119], Buffer
overflow [CWE-119]
    Impact: Code execution
    Remotely Exploitable: No
    Locally Exploitable: Yes
    CVE Name: CVE-2014-0985, CVE-2014-0986, CVE-2014-0987,
CVE-2014-0988, CVE-2014-0989, CVE-2014-0990, CVE-2014-0991, CVE-2014-0992


3. *Vulnerability Description*

    Advantech WebAccess [1] is a browser-based
    software package for human-machine interfaces HMI, and supervisory
    control and data acquisition SCADA.

    Advantech WebAccess is vulnerable to a buffer overflow attack, which
    can be exploited by remote attackers to execute arbitrary code, by
    providing a malicious html file with specific parameters for an
    ActiveX component.


4. *Vulnerable packages*

   . WebAccess 7.2
   . Older versions could be affected too, but they were not checked.


5. *Non-vulnerable packages*

   . AdvantechWebAccessUSANode_20140730_3.4.3


6. *Vendor Information, Solutions and Workarounds*

    Advantech has addressed the vulnerability in WebAccess by issuing an
update located at
    http://webaccess.advantech.com/downloads_software.php

    Given that this is a client-side vulnerability, affected users
should avoid
    opening untrusted '.html' files.
    Core Security also recommends those affected use third party
software such as
    Sentinel [4] or EMET [3]
    that could help to prevent the exploitation of affected systems to
some extent.


7. *Credits*

    This vulnerability was discovered and researched by Ricardo Narvaja
from
    Core Security Exploit Writers Team.
    
    Core Security Advisories Team would also like to thank  ICS-CERT
Coordination Center
    for their assistance during the vulnerability reporting process.
    

8. *Technical Description / Proof of Concept Code*

    [CVE-2014-0985] This vulnerability is caused by a stack buffer
    overflow when parsing NodeName parameter. A malicious third party could
    trigger execution of arbitrary code within the context of the
    application, or otherwise crash the whole application.
    NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2014-0764.

    [CVE-2014-0986] This vulnerability is caused by a stack buffer
    overflow when parsing GotoCmd parameter. A malicious third party could
    trigger execution of arbitrary code within the context of the
    application, or otherwise crash the whole application.
    NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2014-0765.

    [CVE-2014-0987] This vulnerability is caused by a stack buffer
    overflow when parsing NodeName2 parameter. A malicious third party
could
    trigger execution of arbitrary code within the context of the
    application, or otherwise crash the whole application.
    NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2014-0766.

    [CVE-2014-0988] This vulnerability is caused by a stack buffer
    overflow when parsing AccessCode parameter. A malicious third party
could
    trigger execution of arbitrary code within the context of the
    application, or otherwise crash the whole application.
    NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2014-0767.

    [CVE-2014-0989] This vulnerability is caused by a stack buffer
    overflow when parsing AccessCode2 parameter. A malicious third party
could
    trigger execution of arbitrary code within the context of the
    application, or otherwise crash the whole application.
    NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2014-0768.

    [CVE-2014-0990] This vulnerability is caused by a stack buffer
    overflow when parsing UserName parameter. A malicious third party could
    trigger execution of arbitrary code within the context of the
    application, or otherwise crash the whole application.
    NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2014-0770.
    
    [CVE-2014-0991] This vulnerability is caused by a stack buffer
    overflow when parsing projectname parameter. A malicious third party
could
    trigger execution of arbitrary code within the context of the
    application, or otherwise crash the whole application.

    [CVE-2014-0992] This vulnerability is caused by a stack buffer
    overflow when parsing password parameter. A malicious third party could
    trigger execution of arbitrary code within the context of the
    application, or otherwise crash the whole application.

    Below is shown the result of opening a malicious html file with a long
    NodeName parameter, an attacker can overflow the stack buffer mentioned
    above and overwrite the SEH (Structured Exception Handler), enabling
    arbitrary code execution on the machine.

/-----
 
EAX 03A39942 ASCII "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB..."
ECX 0162B720
EDX 01630000 xpsp2res.01630000
EBX 0162B720
ESP 0162B454
EBP 0162B460
ESI 0162B4D8
EDI 03A31E98
EIP 064EA6D4 webvact.064EA6D4

-----/


/-----
 
SEH chain of thread 000016CC
Address    SE handler
0162DB40   42424242

-----/


9. *Report Timeline*
    . 2014-05-06: Core Security notifies Advantech of the vulnerability.
Publication date is set for May 26th, 2014.

    . 2014-05-09: CORE asks for a reply.

    . 2014-05-26: First release date missed.

    . 2014-05-26: Core Security notifies that the issues were reported 2
weeks ago and there was no reply since May 6th, 2014.
      
    . 2014-05-29: Core Security contacts the ICS-CERT for assistance in
order to coordinate the disclosure of the advisory.
      
    . 2014-05-29: ICS-CERT acknowledges Core Security e-mail, and asks
for a technical description of the vulnerability.
      
    . 2014-05-29: Core Security sends technical details to the ICS-CERT.
      
    . 2014-06-05: ICS-CERT team notifies that they have contacted the
vendor and that they will notify us once the vendor has validated the
vulnerabilities.
      
    . 2014-06-18: ICS-CERT team notifies that the vendor is working in a
new release, expected to be released in September, and ask if Core
Security is interested in validating Advantech's vulnerability fix in
their beta version.
      
    . 2014-06-18: Core Security accepts the testing of the vendor beta
version, but shares their concerns about waiting several months for
fixes that are related to vulnerabilities already public.
      
    . 2014-06-18: ICS-CERT notifies that they will let us know when they
plan to make the beta version available for testing.
      
    . 2014-07-03: ICS-CERT team notifies that the vendor is working to
provide a download link for the beta version.
      
    . 2014-07-08: ICS-CERT team sends download link provided by the vendor.
      
    . 2014-07-10: Core Security confirms to ICS-CERT that the new
version it's still vulnerable, and comments that after some analysis the
vulnerable function doesn't has changes.
      
    . 2014-07-10: ICS-CERT notifies that they will let the vendor know
that that the vulnerabilities still exist. And asks to setup a
teleconference between Core Security, the CERT and the vendor.
      
    . 2014-07-10: Core Security notifies the ICS-CERT that all
interactions are made via email only.
      
    . 2014-07-10: ICS-CERT notifies they provided the information to the
vendor.
      
    . 2014-07-21: Core Security notifies the ICS-CERT that Tipping Point
Zero Day Initiative has released several advisories[2] affecting the
vendor including some that appears to be related to the one we are
coordinating.
      
    . 2014-07-21: ICS-CERT notifies that some of those advisories where
in coordination with them, and that after a review of the link shared by
Core Security are related to ICSA-14-198-02 and don't appear to be
related to the reported vulnerability.
      
    . 2014-07-21: Core Security notifies that ZDI-14-243 and ZDI-14-244
appears to be directly related.
      
    . 2014-07-21: ICS-CERT is trying to contact Advantech to get a
status update and their current plan for vulnerability remediation.
      
    . 2014-08-07: ICS-CERT notifies that they contacted the vendor and
they are waiting for an status update.
      
    . 2014-08-21: Core Security contacts ICS-CERT since no reply was
received in the past two weeks.
      
    . 2014-08-21: ICS-CERT notifies that vendor representative stated
that they are currently training a new product manager and they have not
yet responded to the vulnerabilities we are discussing.
      
    . 2014-08-28: Core Security notifies the ICS-CERT that the advisory
publication is going to be scheduled for Monday 1st of September.
      
    . 2014-08-28: ICS-CERT acknowledges Core Security e-mail.
      
    . 2014-08-28: Core Security re-schedules the advisory publication
for Sep 2nd, 2014.
      
    . 2014-09-02: Core Security found out that the vendor released a
silent fix on 30th of July.
        
    . 2014-09-02: Core Security releases the advisory CORE-2014-0005
tagged as user-release.


10. *References*

    [1] http://webaccess.advantech.com/.
    [2] http://www.zerodayinitiative.com/advisories/published/.
    [3] http://support.microsoft.com/kb/2458544.
    [4] https://github.com/CoreSecurity/sentinel.


11. *About CoreLabs*

    CoreLabs, the research center of Core Security, is charged with
anticipating
    the future needs and requirements for information security
technologies.
    We conduct our research in several important areas of computer security
    including system vulnerabilities, cyber attack planning and simulation,
    source code auditing, and cryptography. Our results include problem
    formalization, identification of vulnerabilities, novel solutions and
    prototypes for new technologies. CoreLabs regularly publishes security
    advisories, technical papers, project information and shared software
    tools for public use at:
    http://corelabs.coresecurity.com.


12. *About Core Security Technologies*

    Core Security Technologies enables organizations to get ahead of threats
    with security test and measurement solutions that continuously identify
    and demonstrate real-world exposures to their most critical assets. Our
    customers can gain real visibility into their security standing, real
    validation of their security controls, and real metrics to more
    effectively secure their organizations.

    Core Security's software solutions build on over a decade of trusted
    research and leading-edge threat expertise from the company's Security
    Consulting Services, CoreLabs and Engineering groups. Core Security
    Technologies can be reached at +1 (617) 399-6980 or on the Web at:
    http://www.coresecurity.com.


13. *Disclaimer*

    The contents of this advisory are copyright
    (c) 2014 Core Security and (c) 2014 CoreLabs,
    and are licensed under a Creative Commons
    Attribution Non-Commercial Share-Alike 3.0 (United States) License:
    http://creativecommons.org/licenses/by-nc-sa/3.0/us/


14. *PGP/GPG Keys*

    This advisory has been signed with the GPG key of Core Security
advisories
    team, which is available for download at
   
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.