TeeChart Professional Integer Overflow Aug 11, 2011 Affected software: TeeChart Professional Affected vendor: Steema Issue type: Integer Overflow/Trusted Deference Release date: 11 August 2011 Discovered by: Steven Seeley Issue status: No patch available Summary stratsec has identified an integer overflow vulnerability in the TeeChart Professional ActiveX component that is later trusted, dereferenced and called upon. The vulnerability can lead to remote code execution if a user is social engineered to click on a malicious link or open a malicious HTML file. Description The TeeChart Pro ActiveX charting component library offers hundreds of Graph styles in 2D and 3D, 33 mathematical and statistical Functions for you to choose from together with an unlimited number of axes and 14 toolbox components. The Charting Control can be efficiently used to create multi task dashboards. Upon installation, the control is marked in the windows registry as ‘safe for scripting’ and ‘safe for initialisation’. Additionally, the kill bit is not set. This allows the control to be scripted remotely. Impact A remote attacker could social engineer a user into double clicking a malicious html file or clicking a malicious link that would likely result in remote code execution running with privileges as the currently logged in user. Affected products Multiple versions (including the latest version) are affected by this vulnerability that date back to as far as 2001: TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4) TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD) TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E) TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196) TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258) Additionally the software is deployed under a number of SCADA based systems including but not limited to the following packages: Unitronics OPC server v1.3.8 BACnet Operator Workstation Version 1.0.76 Technical Details The vulnerability is triggered via the AddSeries() method which is part of the program ID ‘TeeChart.TChart.9’ contained within the ‘TeeChart2010.ocx’ ActiveX control. The integer supplied is wrapped due to a dereferenced arithmetic operation that is later trusted and executed. 02356CEB MOV EDX,DWORD PTR SS:[EBP+C] ; attacker controlled integer value 02356CEE MOV EAX,DWORD PTR DS:[EAX+EDX*4] ; execute a dereferenced calculation 02356CF1 MOV ECX,DWORD PTR DS:[EBX+0xC0] 02356CF7 MOV DL,1 02356CF9 CALL DWORD PTR DS:[EAX+2C] ; execute attacker controlled value Proof of concept A proof of concept exploit has been developed. The exploit code is designed to target the vulnerability under different environments including Windows 7. Solution Enable the kill bit in the windows registry for this ActiveX control so that the control cannot be executed. A detailed guide can be viewed at Microsoft’s support website: http://support.microsoft.com/kb/240797 Response timeline 26/07/2011 - Initial vendor notification. 28/07/2011 - No response from the vendor. Vendor reminded of the disclosure policy. 01/08/2011 - No response from the vendor. Vendor reminded of the vulnerability. 02/08/2011 - No response from the vendor. Vendor reminded of the vulnerability. 09/08/2011 - No response from the vendor. Vendor warned of imminent disclosure date. 11/08/2011 - No response from the vendor. This advisory published. References None provided at this time.