Unknown
Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Unknown
(1 user assessed)Unknown
(1 user assessed)Unknown
Unknown
Unknown
Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. The application lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer, which could allow an attacker to execute arbitrary code under the context of the process.
Add Assessment
Technical Analysis
The stack overflow happens in sub_10004BC8:
.text:10004BC8 ; int __cdecl sub_10004BC8(char *Format, char) .text:10004BC8 sub_10004BC8 proc near ; .text:10004BC8 ; .text:10004BC8 .text:10004BC8 lpWindowName = dword ptr -818h .text:10004BC8 hWnd = dword ptr -814h .text:10004BC8 lpClassName = dword ptr -810h .text:10004BC8 Args = dword ptr -80Ch .text:10004BC8 lpBaseAddress = dword ptr -808h .text:10004BC8 hFileMappingObject= dword ptr -804h .text:10004BC8 Dest = byte ptr -800h .text:10004BC8 Format = dword ptr 8 .text:10004BC8 arg_4 = byte ptr 0Ch .text:10004BC8 .text:10004BC8 push ebp .text:10004BC9 mov ebp, esp .text:10004BCB sub esp, 818h .text:10004BD1 mov [ebp+lpWindowName], offset aDebugScreen1 ; "Debug Screen1" .text:10004BDB mov [ebp+lpClassName], offset aDebugwclass1 ; "debugWClass1" .text:10004BE5 lea eax, [ebp+arg_4] .text:10004BE8 mov [ebp+Args], eax .text:10004BEE mov ecx, [ebp+Args] .text:10004BF4 push ecx ; Args .text:10004BF5 mov edx, [ebp+Format] .text:10004BF8 push edx ; Format .text:10004BF9 lea eax, [ebp+Dest] .text:10004BFF push eax ; Dest .text:10004C00 call ds:vsprintf ; overflow
The corresponding IDL is below:
[ uuid(5d2b62aa-ee0a-4a95-91ae-b064fdb471fc), version(1.0) ] interface target_interface { /* opcode: 0x01, address: 0x00401260 */ void sub_401260 ( [in] handle_t arg_1, [in] long arg_2, [in] long arg_3, [in] long arg_4, [in][ref][size_is(arg_4)] char * arg_5, [out][ref] long * arg_6 ); }
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- advantech
Products
- webaccess
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: