| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <546CD3A4.1010009@coresecurity.com>
Date: Wed, 19 Nov 2014 14:30:12 -0300
From: CORE Advisories Team <advisories@...esecurity.com>
To: <bugtraq@...urityfocus.com>, <fulldisclosure@...lists.org>
Subject: [FD] [CORE-2014-0008] - Advantech AdamView Buffer Overflow
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Advantech AdamView Buffer Overflow
1. *Advisory Information*
Title: Advantech AdamView Buffer Overflow
Advisory ID: CORE-2014-0008
Advisory URL:
http://www.coresecurity.com/advisories/advantech-adamView-buffer-overflow
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8386
3. *Vulnerability Description*
Advantech AdamView [1] is a HMI Software for Data Acquisition
software package for human-machine interfaces HMI, and supervisory
control and data acquisition SCADA.
Advantech AdamView has to two different fields vulnerable to buffer
overflow attacks, which can be exploited by attackers in order to
execute arbitrary code by running files with the '.gni' extension
that is assosiated with the AdamView software.
4. *Vulnerable packages*
. Advantech AdamView V4.3
. Other versions are probably affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
The vendor informed us that the product is no longer supported and
therefore no fix or update is going to be released.
Given that this is a client-side vulnerability, affected users
should avoid opening untrusted '.gni' files. Core Security also
recommends those affected use third party software such as Sentinel
[3] or EMET [2] that could help to prevent the exploitation of
affected systems to some extent.
6. *Credits*
This vulnerability was discovered and researched by Daniel Kazimirow
and Fernando Paez from Core Security Exploit Writers Team. The
publication of this advisory was coordinated by Joaquín Rodríguez
Varela from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
This vulnerability is caused by a stack buffer overflow when parsing
the display properties parameter. A malicious third party could
trigger execution of arbitrary code within the context of the
application, or otherwise crash the whole application.
Below are shown the vulnerable fields, the debug information, and
the stack state after being overwritten.
/-----
VULNERABLE FIELDS:
[+] display properties (BUG 1)
00475BA0 |. 53 PUSH EBX ; /<%s>
00475BA1 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; |
00475BA5 |. 68 F09C4B00 PUSH ADAMView.004B9CF0 ;
|Format = "Display Designer: %s"
00475BAA |. 51 PUSH ECX ; |s
00475BAB |. 8BF0 MOV ESI,EAX ; |
00475BAD |. FF15 84FF4900 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ;
\wsprintfA
DEBUG:
EAX 00000000
ECX 00000001
EDX 00000000
EBX 00000003
ESP 0012F924
EBP 00000000
ESI 0012F9B4
EDI 00F39DC8
EIP CCCCCCCC <------------------------------------
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
STACK:
0012F958 CCCCCCCC ÌÌÌÌ
0012F95C CCCCCCCC ÌÌÌÌ
0012F960 CCCCCCCC ÌÌÌÌ
0012F964 CCCCCCCC ÌÌÌÌ
0012F968 CCCCCCCC ÌÌÌÌ
0012F96C CCCCCCCC ÌÌÌÌ
0012F970 CCCCCCCC ÌÌÌÌ
0012F974 CCCCCCCC ÌÌÌÌ
0012F978 CCCCCCCC ÌÌÌÌ
0012F97C CCCCCCCC ÌÌÌÌ Pointer to next SEH record
0012F980 0043304A J0C. SE handler <-------------- SEH CONTROLLED
BY US (PPR)
0012F984 FFFFFFFF ÿÿÿÿ
0012F988 00485103 QH. RETURN to ADAMView.00485103
-----/
This vulnerability is caused by a stack buffer overflow when parsing
the conditional bitmap parameter. A malicious third party could
trigger execution of arbitrary code within the context of the
application, or otherwise crash the whole application.
Below are shown the vulnerable fields, the debug information, and
the stack state after being overwritten.
/-----
VULNERABLE FIELDS:
[+] conditional bitmap > bitmap file map (is a path) (BUG 2)
00406E70 |. 55 |PUSH EBP ;
/StringToAdd
00406E71 |. 51 |PUSH ECX ;
|ConcatString
00406E72 |. FF15 A8F34900 |CALL DWORD PTR DS:[<&KERNEL32.lstrcatA>>;
\lstrcatA
DEBUG:
EAX 00000000
ECX CCCCCCCC <--------------------- EAX
EDX 73EA2608 MFC42.73EA2608
EBX 00F3C92E ASCII "BMP1"
ESP 0012F884
EBP 0000099C
ESI 0012F9B4
EDI 00F3C818
EIP CCCCCCCC <---------------------
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_PATH_NOT_FOUND (00000003)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
STACK:
0012F884 CCCCCCCC
0012F888 CCCCCCCC
0012F88C CCCCCCCC
0012F890 CCCCCCCC
0012F894 CCCCCCCC
0012F898 CCCCCCCC
0012F89C CCCCCCCC
0012F8A0 7ACCCCCC
0012F8A4 CC004342
0012F8A8 CCCCCCCC
0012F8AC CCCCCCCC
0012F8B0 CCCCCCCC
0012F8B4 CCCCCCCC
0012F8B8 CCCCCCCC
0012F8BC CCCCCCCC
0012F8C0 CCCCCCCC
0012F8C4 CCCCCCCC
-----/
8. *Report Timeline*
. 2014-10-01:
Initial notification sent to ICS-CERT informing of the vulnerability
and requesting the vendor's contact information.
. 2014-10-01:
ICS-CERT informs that they will ask the vendor if they want to
coordinate directly with us or if they prefer to have ICS-CERT
mediate. They request the vulnerability report.
. 2014-10-01:
ICS-CERT informs that the vendor answered that they would like the
ICS-CERT to mediate the coordination of the advisory. They requested
again the vulnerability report.
. 2014-10-01:
We send the vulnerability detail, including technical description
and a PoC.
. 2014-10-09:
We request a status update on the reported vulnerability.
. 2014-10-20:
ICS-CERT informs that the vendor is still reviewing the vulnerability.
. 2014-10-27:
ICS-CERT informs us that the vendor is no longer supporting
ADAMView, and therefore they will not fix it.
. 2014-11-13:
We inform them that we will publish this advisory as user release on
Wednesday 19th of November.
. 2014-11-19:
Advisory CORE-2014-0008 published.
9. *References*
[1]
http://www.advantech.com/products/1-39JG4I/ADAMVIEW/mod_328DB466-4B81-4652-B8AF-F5568F24A103.aspx.
[2] http://support.microsoft.com/kb/2458544.
[3] https://github.com/CoreSecurity/sentinel.
10. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes
for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared
software tools for public use at: http://corelabs.coresecurity.com.
11. *About Core Security*
Core Security enables organizations to get ahead of threats with
security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets.
Our customers can gain real visibility into their security standing,
real validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's
Security Consulting Services, CoreLabs and Engineering groups. Core
Security can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2014 Core Security
and (c) 2014 CoreLabs, and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists