Synopsis
While developing a Nessus plugin to detect CVE-2019-3975, Tenable found an unauthenticated remote stack overflow vulnerability in Advantech WebAccess/SCADA 8.4.2 The flaw exists in the LogInfoFormat function in BwPAlarm.dll due to improper validation of user-supplied data before copying it to a fixed-size stack-based buffer when processing an IOCTL 70533 RPC message:
.text:0700674C ioctl_70533: ; CODE XREF: _BwRPCPAlarmService+2F4B↑j .text:0700674C ; DATA XREF: .text:jpt_700672B↓o .text:0700674C mov edi, [ebp+arg_pInbuf] ; jumptable 0700672B case 10533 .text:0700674F mov [ebp+arg_pOutbuf], esi .text:07006752 push edi .text:07006753 push offset `string' ; "BwRpcP_KernelShutdown : %s" .text:07006758 call LogInfoFormat(char *,...) [...] [...] [...] .text:07023E40 void __cdecl LogInfoFormat(char *, ...) proc near .text:07023E40 ; CODE XREF: _BwRPCPAlarmService+2F78↑p .text:07023E40 ; _BwRPCPAlarmService+30FD↑p .text:07023E40 .text:07023E40 sbuf = byte ptr -800h .text:07023E40 Format= dword ptr 4 .text:07023E40 Args = byte ptr 8 .text:07023E40 .text:07023E40 mov ecx, [esp+Format] .text:07023E44 sub esp, 800h .text:07023E4A lea eax, [esp+800h+Args] ; attacker-supplied data; the format .text:07023E4A ; string can contain %s, so the data .text:07023E4A ; can overflow the fixed_size, .text:07023E4A ; 0x800-byte stack buffer. .text:07023E51 lea edx, [esp+800h+sbuf] ; 0x800-byte stack buffer .text:07023E55 push eax .text:07023E56 push ecx .text:07023E57 push edx .text:07023E58 call _vsprintf
Here an unauthenticated, remote attacker can send a large amount of data to overflow a 0x800-byte stack buffer via the vsprintf function.
Exception and exploitability shown in Windbg:
0:007> g ModLoad: 005e0000 005f0000 C:\WebAccess\Node\viewsrv.dll (de0.c44): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=00000000 ecx=01e16fb8 edx=01e01b4c esi=00000000 edi=00892760 eip=41414141 esp=0298eae8 ebp=0298f730 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 41414141 ?? ??? 0:007> kb # ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 00 0298eae4 41414141 41414141 41414141 41414141 0x41414141 01 0298f730 00404a4e 00002925 00000900 00892760 0x41414141 02 0298f9cc 00402c75 00878fd8 02c920f0 00011385 webvrpcs+0x4a4e 03 0298fa18 00401198 00878fd8 02c920f0 00011385 webvrpcs+0x2c75 04 0298fb44 778e5fda 0087909c d0b9292e 0087f628 webvrpcs+0x1198 05 0298fb7c 778e647b 00401000 0087909c 0298fc20 RPCRT4!DispatchToStubInCNoAvrf+0x46 06 0298fbd4 778e6355 00000000 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x158 07 0298fbf8 77927e6d 0087909c 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStub+0x90 08 0298fc84 779281bc 00000000 00878fd8 00879054 RPCRT4!OSF_SCALL::DispatchHelper+0x23f 09 0298fc98 77928401 00000000 00892738 00878fd8 RPCRT4!OSF_SCALL::DispatchRPCCall+0xf5 0a 0298fcc4 779289a0 00892738 0300092c 00000001 RPCRT4!OSF_SCALL::ProcessReceivedPDU+0x223 0b 0298fce4 77928b9c 00892738 0000092c 0000000c RPCRT4!OSF_SCALL::BeginRpcCall+0x123 0c 0298fd40 7793747f 00000000 00892738 0000092c RPCRT4!OSF_SCONNECTION::ProcessReceiveComplete+0x1e1 0d 0298fd54 7794bf8f 00895890 0000000c 00000000 RPCRT4!ProcessConnectionServerReceivedEvent+0x1c 0e 0298fd78 7794c188 00895890 0000000c 00000000 RPCRT4!DispatchIOHelper+0x46 0f 0298fdb0 75af818c 0000052c 00000000 0087e058 RPCRT4!CO_ConnectionThreadPoolCallback+0x120 10 0298fdd4 77df4cd6 0298fe74 00872370 0087e058 KERNELBASE!BasepTpIoCallback+0x2f 11 0298fe30 77dcfb5b 0298fe74 008603e8 0087e058 ntdll!TppIopExecuteCallback+0x1c5 12 0298ff88 758d343d 008725b0 0298ffd4 77db9832 ntdll!TppWorkerThread+0x594 13 0298ff94 77db9832 008725b0 75606122 00000000 kernel32!BaseThreadInitThunk+0xe 14 0298ffd4 77db9805 77dd04bc 008725b0 ffffffff ntdll!__RtlUserThreadStart+0x70 15 0298ffec 00000000 77dd04bc 008725b0 00000000 ntdll!_RtlUserThreadStart+0x1b 0:007> .load msec.dll 0:007> !exploitable !exploitable 1.6.0.0 Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000041414141 called from webvrpcs+0x0000000000004a4e (Hash=0xdd0ef56a.0xbb1bd46e) User mode DEP access violations are exploitable.
Solution
Upgrade to WebAccess/SCADA 8.4.3.Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team