Unknown
Siemens Solid Edge WebPartHelper ActiveX Remote Code Execution
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Unknown
(1 user assessed)Unknown
(1 user assessed)Unknown
Unknown
Unknown
Siemens Solid Edge WebPartHelper ActiveX Remote Code Execution
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Siemens Solid Edge ST4 and ST5 contain a flaw in the OpenInEditor() method in the WPHelper.dll ActiveX control. This issue may allow a context-dependent attacker to potentially execute arbitrary commands.
Add Assessment
Technical Analysis
Vulnerability:
the WebPartHelper Class offers the OpenInEditor() method, see typelib:
…
/* DISPID=8 */
function OpenInEditor(
/* VT_VARIANT [12] [in] */ $URL )
{
}
…
By passing an null session share path to the URL argument of this method
is possible to launch an arbitrary executable.
This is because of a ShellExecuteExW() call inside RFMSsvs.dll
Analysis:
The ShellExecuteW is this one:
.text:100E9F07 loc_100E9F07: ; CODE XREF: JShellExecuteEx+1B6j
.text:100E9F07 push esi ; pExecInfo
.text:100E9F08 call ds:ShellExecuteExW
Where the pExecInfo can be partially controlled by the user:
.text:100E9EDE call ds:??BGUserText@@QBEPB_WXZ ; GUserText::operator wchar_t const *(void)
.text:100E9EE4 mov [esi+10h], eax
But just the esi+10h field of a SHELLEXECUTEINFO can be controlled:
typedef struct _SHELLEXECUTEINFO {
DWORD cbSize;
ULONG fMask;
HWND hwnd;
LPCTSTR lpVerb;
LPCTSTR lpFile; <== esi + 10h
LPCTSTR lpParameters;
LPCTSTR lpDirectory;
int nShow;
HINSTANCE hInstApp;
LPVOID lpIDList;
LPCTSTR lpClass;
HKEY hkeyClass;
DWORD dwHotKey;
union {
HANDLE hIcon; HANDLE hMonitor;
} DUMMYUNIONNAME;
HANDLE hProcess;
} SHELLEXECUTEINFO, *LPSHELLEXECUTEINFO;
So just the lpFile can be controlled. It doesn’t allow to an awesome exploitation, but there are cases on metasploit.
Just use a WebDav to simulate a SMB resource, the target machine should have enabled the WebClient service (WebDAV Mini-Redirector). And
execute a file via an UNC path. Anyway exploitation limited to machines with WebClient enabled (Windows XPSP3 enabled by default).
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: