Exploit the possiblities

Advantech WebAccess 7.2 Stack-Based Buffer Overflow

Advantech WebAccess 7.2 Stack-Based Buffer Overflow
Posted Nov 20, 2014
Authored by Core Security Technologies, Joaquin Rodriguez Varela, Ricardo Narvaj | Site coresecurity.com

Core Security Technologies Advisory - Advantech WebAccess version 7.2 is vulnerable to a stack-based buffer overflow attack, which can be exploited by remote attackers to execute arbitrary code, by providing a malicious html file with specific parameters for an ActiveX component.

tags | advisory, remote, overflow, arbitrary, activex
advisories | CVE-2014-8388
MD5 | 235685a5967719a6453d6269c1a81c40

Advantech WebAccess 7.2 Stack-Based Buffer Overflow

Change Mirror Download
Core Security - Corelabs Advisory

Advantech WebAccess Stack-based Buffer Overflow

1. *Advisory Information*

Title: Advantech WebAccess Stack-based Buffer Overflow
Advisory ID: CORE-2014-0010
Advisory URL:
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Stack-based Buffer Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8388

3. *Vulnerability Description*

Advantech WebAccess [1] is a browser-based software package for
human-machine interfaces HMI, and supervisory control and data
acquisition SCADA.

Advantech WebAccess is vulnerable to a Stack-based buffer overflow
attack, which can be exploited by remote attackers to execute arbitrary
code, by providing a malicious html file with specific parameters for an
ActiveX component.

4. *Vulnerable packages*

. WebAccess 7.2
. Other versions are probably affected too, but they were not checked.

5. *Vendor Information, Solutions and Workarounds*

Given that this is a client-side vulnerability, affected users
should avoid opening untrusted '.html' files. Core Security also
recommends those affected use third party software such as Sentinel [3]
or EMET [2] that could help to prevent the exploitation of affected
systems to some extent.

Additionally the vendor released WebAccess v8 [4] where it has
deleted the vulnerable file 'webeye.ocx' but if version upgrade is being
performed, the vulnerable ocx file is not deleted at all, therefore we
do not consider this a correct fix.

6. *Credits*

This vulnerability was discovered and researched by Ricardo Narvaja
from Core Security Consulting Services. The publication of this advisory
was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

This vulnerability is caused by a stack buffer overflow when parsing
the ip_address parameter. A malicious third party could trigger
execution of arbitrary code within the context of the application, or
otherwise crash the whole application. This is caused because the
application copies to the stack the string without checking its length.


document.vdoactx.Connect(ip_address, port_no);



0001C2AC 8A45 08 MOV AL,BYTE PTR SS:[EBP+8]
0001C2B6 EB 0B JMP SHORT 0001C2C3


8. *Report Timeline*
. 2014-10-01:

Initial notification sent to ICS-CERT informing of the vulnerability
and requesting the vendor's contact information.

. 2014-10-01:

ICS-CERT informs that they will ask the vendor if they want to
coordinate directly with us or if they prefer to have ICS-CERT mediate.
They request the vulnerability report.

. 2014-10-01:

ICS-CERT informs that the vendor answered that they would like the
ICS-CERT to mediate the coordination of the advisory. They requested
again the vulnerability report.

. 2014-10-01:

We send the vulnerability detail, including technical description
and a PoC.

. 2014-10-09:

We request a status update on the reported vulnerability.

. 2014-10-20:

ICS-CERT informs that the vendor has patched WebAccess in version
8.0 and published it. This was done without informing us in order to
make a coordianted release. The ICS-CERT asks if we can test the fix.

. 2014-10-21:

We clearly state how we disagree with the uncoordinated published
fix. We began testing the fix.

. 2014-10-21:

We inform them that the "webeye.ocx" file (version is
still present in the new version.

. 2014-10-27:

ICS-CERT informs us that the vendor has removed the vulnerable OCX
file from the new version but it doesn't remove it from previous
installations, making the new version still vulnerable.

. 2014-11-13:

We inform them that we will publish this advisory as user release on
Wednesday 19th of November.

. 2014-11-19:

Advisory CORE-2014-0010 published.

9. *References*

[1] http://webaccess.advantech.com/.
[2] http://support.microsoft.com/kb/2458544.
[3] https://github.com/CoreSecurity/sentinel.
[4] http://webaccess.advantech.com/webaccess_download.php?lang=eng.

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies. We conduct our research in several important areas of
computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at: http://corelabs.coresecurity.com.

11. *About Core Security*

Core Security enables organizations to get ahead of threats with
security test and measurement solutions that continuously identify and
demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security can
be reached at +1 (617) 399-6980 or on the Web at:

12. *Disclaimer*

The contents of this advisory are copyright (c) 2014 Core Security
and (c) 2014 CoreLabs,
and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:

13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    11 Files
  • 21
    Feb 21st
    3 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By