Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Advantech WebAccess/SCADA Stack Buffer Overflow

Critical

Synopsis

While developing a Nessus plugin to detect CVE-2019-3975, Tenable found an unauthenticated remote stack overflow vulnerability in Advantech WebAccess/SCADA 8.4.2 The flaw exists in the LogInfoFormat function in BwPAlarm.dll due to improper validation of user-supplied data before copying it to a fixed-size stack-based buffer when processing an IOCTL 70533 RPC message:

.text:0700674C ioctl_70533:                       ; CODE XREF: _BwRPCPAlarmService+2F4B↑j
.text:0700674C                                    ; DATA XREF: .text:jpt_700672B↓o
.text:0700674C      mov     edi, [ebp+arg_pInbuf] ; jumptable 0700672B case 10533
.text:0700674F      mov     [ebp+arg_pOutbuf], esi
.text:07006752      push    edi
.text:07006753      push    offset `string'       ; "BwRpcP_KernelShutdown : %s"
.text:07006758      call    LogInfoFormat(char *,...)
[...]
[...]
[...]
.text:07023E40 void __cdecl LogInfoFormat(char *, ...) proc near
.text:07023E40                                    ; CODE XREF: _BwRPCPAlarmService+2F78↑p
.text:07023E40                                    ; _BwRPCPAlarmService+30FD↑p
.text:07023E40
.text:07023E40 sbuf = byte ptr -800h
.text:07023E40 Format= dword ptr  4
.text:07023E40 Args = byte ptr  8
.text:07023E40
.text:07023E40      mov     ecx, [esp+Format]
.text:07023E44      sub     esp, 800h
.text:07023E4A      lea     eax, [esp+800h+Args]  ; attacker-supplied data; the format
.text:07023E4A                                    ; string can contain %s, so the data
.text:07023E4A                                    ; can overflow the fixed_size,
.text:07023E4A                                    ; 0x800-byte stack buffer.
.text:07023E51      lea     edx, [esp+800h+sbuf]  ; 0x800-byte stack buffer
.text:07023E55      push    eax
.text:07023E56      push    ecx
.text:07023E57      push    edx
.text:07023E58      call    _vsprintf

Here an unauthenticated, remote attacker can send a large amount of data to overflow a 0x800-byte stack buffer via the vsprintf function.

Exception and exploitability shown in Windbg:

0:007> g
ModLoad: 005e0000 005f0000   C:\WebAccess\Node\viewsrv.dll
(de0.c44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000000 ecx=01e16fb8 edx=01e01b4c esi=00000000 edi=00892760
eip=41414141 esp=0298eae8 ebp=0298f730 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
41414141 ??              ???
0:007> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0298eae4 41414141 41414141 41414141 41414141 0x41414141
01 0298f730 00404a4e 00002925 00000900 00892760 0x41414141
02 0298f9cc 00402c75 00878fd8 02c920f0 00011385 webvrpcs+0x4a4e
03 0298fa18 00401198 00878fd8 02c920f0 00011385 webvrpcs+0x2c75
04 0298fb44 778e5fda 0087909c d0b9292e 0087f628 webvrpcs+0x1198
05 0298fb7c 778e647b 00401000 0087909c 0298fc20 RPCRT4!DispatchToStubInCNoAvrf+0x46
06 0298fbd4 778e6355 00000000 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x158
07 0298fbf8 77927e6d 0087909c 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStub+0x90
08 0298fc84 779281bc 00000000 00878fd8 00879054 RPCRT4!OSF_SCALL::DispatchHelper+0x23f
09 0298fc98 77928401 00000000 00892738 00878fd8 RPCRT4!OSF_SCALL::DispatchRPCCall+0xf5
0a 0298fcc4 779289a0 00892738 0300092c 00000001 RPCRT4!OSF_SCALL::ProcessReceivedPDU+0x223
0b 0298fce4 77928b9c 00892738 0000092c 0000000c RPCRT4!OSF_SCALL::BeginRpcCall+0x123
0c 0298fd40 7793747f 00000000 00892738 0000092c RPCRT4!OSF_SCONNECTION::ProcessReceiveComplete+0x1e1
0d 0298fd54 7794bf8f 00895890 0000000c 00000000 RPCRT4!ProcessConnectionServerReceivedEvent+0x1c
0e 0298fd78 7794c188 00895890 0000000c 00000000 RPCRT4!DispatchIOHelper+0x46
0f 0298fdb0 75af818c 0000052c 00000000 0087e058 RPCRT4!CO_ConnectionThreadPoolCallback+0x120
10 0298fdd4 77df4cd6 0298fe74 00872370 0087e058 KERNELBASE!BasepTpIoCallback+0x2f
11 0298fe30 77dcfb5b 0298fe74 008603e8 0087e058 ntdll!TppIopExecuteCallback+0x1c5
12 0298ff88 758d343d 008725b0 0298ffd4 77db9832 ntdll!TppWorkerThread+0x594
13 0298ff94 77db9832 008725b0 75606122 00000000 kernel32!BaseThreadInitThunk+0xe
14 0298ffd4 77db9805 77dd04bc 008725b0 ffffffff ntdll!__RtlUserThreadStart+0x70
15 0298ffec 00000000 77dd04bc 008725b0 00000000 ntdll!_RtlUserThreadStart+0x1b
0:007> .load msec.dll
0:007> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000041414141 called from webvrpcs+0x0000000000004a4e (Hash=0xdd0ef56a.0xbb1bd46e)

User mode DEP access violations are exploitable.

Solution

Upgrade to WebAccess/SCADA 8.4.3.

Disclosure Timeline

09/16/2019 - Vulnerability discovered
10/16/2019 - Disclosed to [email protected]. 90 day is Jan 14, 2020.
10/17/2019 - Advantech acknowledges.
11/01/2019 - Advantech advises Tenable that they are realsing on Nov. 8, 2019.
12/03/2019 - Tenable confirms the fix in 8.4.3.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.