0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Advantech AdamView 4.3 Buffer Overflow Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Advantech AdamView Buffer Overflow 1. *Advisory Information* Title: Advantech AdamView Buffer Overflow Advisory ID: CORE-2014-0008 Advisory URL: http://www.coresecurity.com/advisories/advantech-adamView-buffer-overflow Date published: 2014-11-19 Date of last update: 2014-11-19 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2014-8386 3. *Vulnerability Description* Advantech AdamView [1] is a HMI Software for Data Acquisition software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA. Advantech AdamView has to two different fields vulnerable to buffer overflow attacks, which can be exploited by attackers in order to execute arbitrary code by running files with the '.gni' extension that is assosiated with the AdamView software. 4. *Vulnerable packages* . Advantech AdamView V4.3 . Other versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* The vendor informed us that the product is no longer supported and therefore no fix or update is going to be released. Given that this is a client-side vulnerability, affected users should avoid opening untrusted '.gni' files. Core Security also recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent. 6. *Credits* This vulnerability was discovered and researched by Daniel Kazimirow and Fernando Paez from Core Security Exploit Writers Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* This vulnerability is caused by a stack buffer overflow when parsing the display properties parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application. Below are shown the vulnerable fields, the debug information, and the stack state after being overwritten. /----- VULNERABLE FIELDS: [+] display properties (BUG 1) 00475BA0 |. 53 PUSH EBX ; /<%s> 00475BA1 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; | 00475BA5 |. 68 F09C4B00 PUSH ADAMView.004B9CF0 ; |Format = "Display Designer: %s" 00475BAA |. 51 PUSH ECX ; |s 00475BAB |. 8BF0 MOV ESI,EAX ; | 00475BAD |. FF15 84FF4900 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA DEBUG: EAX 00000000 ECX 00000001 EDX 00000000 EBX 00000003 ESP 0012F924 EBP 00000000 ESI 0012F9B4 EDI 00F39DC8 EIP CCCCCCCC <------------------------------------ C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 STACK: 0012F958 CCCCCCCC ÌÌÌÌ 0012F95C CCCCCCCC ÌÌÌÌ 0012F960 CCCCCCCC ÌÌÌÌ 0012F964 CCCCCCCC ÌÌÌÌ 0012F968 CCCCCCCC ÌÌÌÌ 0012F96C CCCCCCCC ÌÌÌÌ 0012F970 CCCCCCCC ÌÌÌÌ 0012F974 CCCCCCCC ÌÌÌÌ 0012F978 CCCCCCCC ÌÌÌÌ 0012F97C CCCCCCCC ÌÌÌÌ Pointer to next SEH record 0012F980 0043304A J0C. SE handler <-------------- SEH CONTROLLED BY US (PPR) 0012F984 FFFFFFFF ÿÿÿÿ 0012F988 00485103 QH. RETURN to ADAMView.00485103 -----/ This vulnerability is caused by a stack buffer overflow when parsing the conditional bitmap parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application. Below are shown the vulnerable fields, the debug information, and the stack state after being overwritten. /----- VULNERABLE FIELDS: [+] conditional bitmap > bitmap file map (is a path) (BUG 2) 00406E70 |. 55 |PUSH EBP ; /StringToAdd 00406E71 |. 51 |PUSH ECX ; |ConcatString 00406E72 |. FF15 A8F34900 |CALL DWORD PTR DS:[<&KERNEL32.lstrcatA>>; \lstrcatA DEBUG: EAX 00000000 ECX CCCCCCCC <--------------------- EAX EDX 73EA2608 MFC42.73EA2608 EBX 00F3C92E ASCII "BMP1" ESP 0012F884 EBP 0000099C ESI 0012F9B4 EDI 00F3C818 EIP CCCCCCCC <--------------------- C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_PATH_NOT_FOUND (00000003) EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 STACK: 0012F884 CCCCCCCC 0012F888 CCCCCCCC 0012F88C CCCCCCCC 0012F890 CCCCCCCC 0012F894 CCCCCCCC 0012F898 CCCCCCCC 0012F89C CCCCCCCC 0012F8A0 7ACCCCCC 0012F8A4 CC004342 0012F8A8 CCCCCCCC 0012F8AC CCCCCCCC 0012F8B0 CCCCCCCC 0012F8B4 CCCCCCCC 0012F8B8 CCCCCCCC 0012F8BC CCCCCCCC 0012F8C0 CCCCCCCC 0012F8C4 CCCCCCCC -----/ # 0day.today [2024-11-15] #