Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Siemens Solid Edge WebPartHelper ActiveX Remote Code Execution

Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Siemens Solid Edge ST4 and ST5 contain a flaw in the OpenInEditor() method in the WPHelper.dll ActiveX control. This issue may allow a context-dependent attacker to potentially execute arbitrary commands.

Add Assessment

1
Technical Analysis

Vulnerability:

the WebPartHelper Class offers the OpenInEditor() method, see typelib:


/* DISPID=8 */
function OpenInEditor(

    /* VT_VARIANT [12] [in] */ $URL
    )

{
}

By passing an null session share path to the URL argument of this method
is possible to launch an arbitrary executable.

This is because of a ShellExecuteExW() call inside RFMSsvs.dll

Analysis:

The ShellExecuteW is this one:

.text:100E9F07 loc_100E9F07: ; CODE XREF: JShellExecuteEx+1B6j
.text:100E9F07 push esi ; pExecInfo
.text:100E9F08 call ds:ShellExecuteExW

Where the pExecInfo can be partially controlled by the user:

.text:100E9EDE call ds:??BGUserText@@QBEPB_WXZ ; GUserText::operator wchar_t const *(void)
.text:100E9EE4 mov [esi+10h], eax

But just the esi+10h field of a SHELLEXECUTEINFO can be controlled:

typedef struct _SHELLEXECUTEINFO {
DWORD cbSize;
ULONG fMask;
HWND hwnd;
LPCTSTR lpVerb;
LPCTSTR lpFile; <== esi + 10h
LPCTSTR lpParameters;
LPCTSTR lpDirectory;
int nShow;
HINSTANCE hInstApp;
LPVOID lpIDList;
LPCTSTR lpClass;
HKEY hkeyClass;
DWORD dwHotKey;
union {

HANDLE hIcon;
HANDLE hMonitor;

} DUMMYUNIONNAME;
HANDLE hProcess;
} SHELLEXECUTEINFO, *LPSHELLEXECUTEINFO;

So just the lpFile can be controlled. It doesn’t allow to an awesome exploitation, but there are cases on metasploit.

Just use a WebDav to simulate a SMB resource, the target machine should have enabled the WebClient service (WebDAV Mini-Redirector). And
execute a file via an UNC path. Anyway exploitation limited to machines with WebClient enabled (Windows XPSP3 enabled by default).

General Information

References

Additional Info

Technical Analysis