0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Advantech WebAccess 7.2 Stack-Based Buffer Overflow Vulnerability
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Advantech WebAccess Stack-based Buffer Overflow
1. *Advisory Information*
Title: Advantech WebAccess Stack-based Buffer Overflow
Advisory ID: CORE-2014-0010
Advisory URL:
http://www.coresecurity.com/advisories/advantech-webAccess-stack-based-buffer-overflow
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8388
3. *Vulnerability Description*
Advantech WebAccess [1] is a browser-based software package for
human-machine interfaces HMI, and supervisory control and data
acquisition SCADA.
Advantech WebAccess is vulnerable to a Stack-based buffer overflow
attack, which can be exploited by remote attackers to execute arbitrary
code, by providing a malicious html file with specific parameters for an
ActiveX component.
4. *Vulnerable packages*
. WebAccess 7.2
. Other versions are probably affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
Given that this is a client-side vulnerability, affected users
should avoid opening untrusted '.html' files. Core Security also
recommends those affected use third party software such as Sentinel [3]
or EMET [2] that could help to prevent the exploitation of affected
systems to some extent.
Additionally the vendor released WebAccess v8 [4] where it has
deleted the vulnerable file 'webeye.ocx' but if version upgrade is being
performed, the vulnerable ocx file is not deleted at all, therefore we
do not consider this a correct fix.
6. *Credits*
This vulnerability was discovered and researched by Ricardo Narvaja
from Core Security Consulting Services. The publication of this advisory
was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
This vulnerability is caused by a stack buffer overflow when parsing
the ip_address parameter. A malicious third party could trigger
execution of arbitrary code within the context of the application, or
otherwise crash the whole application. This is caused because the
application copies to the stack the string without checking its length.
/-----
document.vdoactx.Connect(ip_address, port_no);
-----/
/-----
0001C2AA 8B11 MOV EDX,DWORD PTR DS:[ECX]
0001C2AC 8A45 08 MOV AL,BYTE PTR SS:[EBP+8]
0001C2AF 8802 MOV BYTE PTR DS:[EDX],AL
0001C2B1 FF01 INC DWORD PTR DS:[ECX]
0001C2B3 0FB6C0 MOVZX EAX,AL
0001C2B6 EB 0B JMP SHORT 0001C2C3
-----/
# 0day.today [2024-11-15] #