PcVue 10.0 – Multiple Vulnerabilities

• Exploit Database
• 18 阅读

• 作者： Luigi Auriemma
  日期： 2011-09-27
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17896/

• #######################################################################
  
   Luigi Auriemma
  
  Application:PcVue
  http://www.arcinfo.com/index.php?option=com_content&id=2&Itemid=151
  Versions: PcVue <= 10.0
  SVUIGrd.ocx <= 1.5.1.0
  aipgctl.ocx <= 1.07.3702
  Platforms:Windows
  Bugs: A] code execution in SVUIGrd.ocx Save/LoadObject
  B] write4 in SVUIGrd.ocx GetExtendedColor
  C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject
  D] array overflow in aipgctl.ocx DeletePage
  Exploitation: remote
  Date: 27 Sep 2011
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bugs
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  From vendor's homepage:
  "PcVue is a new generation of SCADA software. It is characterised by
  modern ergonomics and by tools based on object technology to reduce and
  optimise applications development."
  
  
  #######################################################################
  
  =======
  2) Bugs
  =======
  
  ------------------------------------------------
  A] code execution in SVUIGrd.ocx Save/LoadObject
  ------------------------------------------------
  
  The aStream number of SaveObject and LoadObject methods available in
  SVUIGrd.ocx (2BBD45A5-28AE-11D1-ACAC-0800170967D9) is used directly as
  function pointer:
  
  02695b9d 8b00mov eax,dword ptr [eax]; controlled
  02695b9f ff5004calldword ptr [eax+4]; execution
  
  
  -----------------------------------------
  B] write4 in SVUIGrd.ocx GetExtendedColor
  -----------------------------------------
  
  Through the GetExtendedColor method of SVUIGrd.ocx it's possible to
  write a dword in an arbitrary memory location:
  
  02198e36 8902mov dword ptr [edx],eax; controlled
  
  
  ---------------------------------------------------------------------
  C] possible files corruption/injection in SVUIGrd.ocx Save/LoadObject
  ---------------------------------------------------------------------
  
  The SaveObject allow to specify the name of the file to save while
  LoadObject the one to load.
  I have not performed additional research so for the moment the only
  thing I have seen is the possibility of corrupting the files in the
  system via directory traversal attacks.
  I suspect that it's probable the possibility of writing custom content
  but it has not been proved or verified.
  
  
  -------------------------------------------
  D] array overflow in aipgctl.ocx DeletePage
  -------------------------------------------
  
  Array overflow in the DeletePage method of the ActiveX component
  aipgctl.ocx (083B40D3-CCBA-11D2-AFE0-00C04F7993D6):
  
  10013852 8b0cb8mov ecx,dword ptr [eax+edi*4]
  10013855 85c9testecx,ecx
  10013857 7407jeaipgctl+0x13860 (10013860)
  10013859 8b11mov edx,dword ptr [ecx]
  1001385b 6a01push1
  1001385d ff5204calldword ptr [edx+4]; execution
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/poc/pcvue_1.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17896.zip
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################