PcVue 10.0 – Multiple Vulnerabilities

• Exploit Database
• 123 阅读

• 作者： Luigi Auriemma
  日期： 2011-09-27
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17896/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122

  #######################################################################   Luigi Auriemma   Application:PcVue http://www.arcinfo.com/index.php?option=com_content&id=2&Itemid=151 Versions: PcVue <= 10.0 SVUIGrd.ocx <= 1.5.1.0 aipgctl.ocx <= 1.07.3702 Platforms:Windows Bugs: A] code execution in SVUIGrd.ocx Save/LoadObject B] write4 in SVUIGrd.ocx GetExtendedColor C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject D] array overflow in aipgctl.ocx DeletePage Exploitation: remote Date: 27 Sep 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bugs 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     From vendor&apos;s homepage: "PcVue is a new generation of SCADA software. It is characterised by modern ergonomics and by tools based on object technology to reduce and optimise applications development."     #######################################################################   ======= 2) Bugs =======   ------------------------------------------------ A] code execution in SVUIGrd.ocx Save/LoadObject ------------------------------------------------   The aStream number of SaveObject and LoadObject methods available in SVUIGrd.ocx (2BBD45A5-28AE-11D1-ACAC-0800170967D9) is used directly as function pointer:   02695b9d 8b00mov eax,dword ptr [eax]; controlled 02695b9f ff5004calldword ptr [eax+4]; execution     ----------------------------------------- B] write4 in SVUIGrd.ocx GetExtendedColor -----------------------------------------   Through the GetExtendedColor method of SVUIGrd.ocx it&apos;s possible to write a dword in an arbitrary memory location:   02198e36 8902mov dword ptr [edx],eax; controlled     --------------------------------------------------------------------- C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject ---------------------------------------------------------------------   The SaveObject allow to specify the name of the file to save while LoadObject the one to load. I have not performed additional research so for the moment the only thing I have seen is the possibility of corrupting the files in the system via directory traversal attacks. I suspect that it&apos;s probable the possibility of writing custom content but it has not been proved or verified.     ------------------------------------------- D] array overflow in aipgctl.ocx DeletePage -------------------------------------------   Array overflow in the DeletePage method of the ActiveX component aipgctl.ocx (083B40D3-CCBA-11D2-AFE0-00C04F7993D6):   10013852 8b0cb8mov ecx,dword ptr [eax+edi*4] 10013855 85c9testecx,ecx 10013857 7407jeaipgctl+0x13860 (10013860) 10013859 8b11mov edx,dword ptr [ecx] 1001385b 6a01push1 1001385d ff5204calldword ptr [edx+4]; execution     #######################################################################   =========== 3) The Code ===========     http://aluigi.org/poc/pcvue_1.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17896.zip     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################