Advantech WebAccess Stack-based Buffer Overflow

1. Advisory Information

Title: Advantech WebAccess Stack-based Buffer Overflow
Advisory ID: CORE-2014-0010
Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-stack-based-buffer-overflow
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: Coordinated release

2. Vulnerability Information

Class: Stack-based Buffer Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8388

3. Vulnerability Description

Advantech WebAccess [1] is a browser-based software package for human-machine interfaces HMI, and supervisory control and data acquisition SCADA.

Advantech WebAccess is vulnerable to a Stack-based buffer overflow attack, which can be exploited by remote attackers to execute arbitrary code, by providing a malicious html file with specific parameters for an ActiveX component.

4. Vulnerable packages

  • WebAccess 7.2
  • Other versions are probably affected too, but they were not checked.

5. Vendor Information, Solutions and Workarounds

Given that this is a client-side vulnerability, affected users should avoid opening untrusted .html files. Core Security also recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent.

Additionally the vendor released WebAccess v8 [4] where it has deleted the vulnerable file 'webeye.ocx' but if version upgrade is being performed, the vulnerable ocx file is not deleted at all, therefore we do not consider this a correct fix.

6. Credits

This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.

7. Technical Description / Proof of Concept Code

[CVE-2014-8388] This vulnerability is caused by a stack buffer overflow when parsing the ip_address parameter. A malicious third party could trigger execution of arbitrary code within the context of the application, or otherwise crash the whole application. This is caused because the application copies to the stack the string without checking its length.

document.vdoactx.Connect(ip_address, port_no);
0001C2AA    8B11            MOV EDX,DWORD PTR DS:[ECX]
0001C2AC    8A45 08         MOV AL,BYTE PTR SS:[EBP+8]
0001C2AF    8802            MOV BYTE PTR DS:[EDX],AL
0001C2B1    FF01            INC DWORD PTR DS:[ECX]
0001C2B3    0FB6C0          MOVZX EAX,AL
0001C2B6    EB 0B           JMP SHORT 0001C2C3

8. Report Timeline

  • 2014-10-01: Initial notification sent to ICS-CERT informing of the vulnerability and requesting the vendor's contact information.
  • 2014-10-01: ICS-CERT informs that they will ask the vendor if they want to coordinate directly with us or if they prefer to have ICS-CERT mediate. They request the vulnerability report.
  • 2014-10-01: ICS-CERT informs that the vendor answered that they would like the ICS-CERT to mediate the coordination of the advisory. They requested again the vulnerability report.
  • 2014-10-01: We send the vulnerability detail, including technical description and a PoC.
  • 2014-10-09: We request a status update on the reported vulnerability.
  • 2014-10-20: ICS-CERT informs that the vendor has patched WebAccess in version 8.0 and published it. This was done without informing us in order to make a coordianted release. The ICS-CERT asks if we can test the fix.
  • 2014-10-21: We clearly state how we disagree with the uncoordinated published fix. We began testing the fix.
  • 2014-10-21: We inform them that the "webeye.ocx" file (version 1.0.1.35) is still present in the new version.
  • 2014-10-27: ICS-CERT informs us that the vendor has removed the vulnerable OCX file from the new version but it doesn't remove it from previous installations, making the new version still vulnerable.
  • 2014-11-13: We inform them that we will publish this advisory as user release on Wednesday 19th of November.
  • 2014-11-19: Advisory CORE-2014-0010 published.

9. References

[1] http://webaccess.advantech.com/.
[2] http://support.microsoft.com/kb/2458544.
[3] https://github.com/CoreSecurity/sentinel.
[4] http://webaccess.advantech.com/webaccess_download.php?lang=eng.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security

Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.