Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Advantech WebAccess/SCADA Stack Buffer Overflow

Critical

Synopsis

While developing a Nessus plugin to detect CVE-2019-3975, Tenable found an unauthenticated remote stack overflow vulnerability in Advantech WebAccess/SCADA 8.4.2 The flaw exists in the LogInfoFormat function in BwPAlarm.dll due to improper validation of user-supplied data before copying it to a fixed-size stack-based buffer when processing an IOCTL 70533 RPC message:

.text:0700674C ioctl_70533:                       ; CODE XREF: _BwRPCPAlarmService+2F4B↑j
.text:0700674C                                    ; DATA XREF: .text:jpt_700672B↓o
.text:0700674C      mov     edi, [ebp+arg_pInbuf] ; jumptable 0700672B case 10533
.text:0700674F      mov     [ebp+arg_pOutbuf], esi
.text:07006752      push    edi
.text:07006753      push    offset `string'       ; "BwRpcP_KernelShutdown : %s"
.text:07006758      call    LogInfoFormat(char *,...)
[...]
[...]
[...]
.text:07023E40 void __cdecl LogInfoFormat(char *, ...) proc near
.text:07023E40                                    ; CODE XREF: _BwRPCPAlarmService+2F78↑p
.text:07023E40                                    ; _BwRPCPAlarmService+30FD↑p
.text:07023E40
.text:07023E40 sbuf = byte ptr -800h
.text:07023E40 Format= dword ptr  4
.text:07023E40 Args = byte ptr  8
.text:07023E40
.text:07023E40      mov     ecx, [esp+Format]
.text:07023E44      sub     esp, 800h
.text:07023E4A      lea     eax, [esp+800h+Args]  ; attacker-supplied data; the format
.text:07023E4A                                    ; string can contain %s, so the data
.text:07023E4A                                    ; can overflow the fixed_size,
.text:07023E4A                                    ; 0x800-byte stack buffer.
.text:07023E51      lea     edx, [esp+800h+sbuf]  ; 0x800-byte stack buffer
.text:07023E55      push    eax
.text:07023E56      push    ecx
.text:07023E57      push    edx
.text:07023E58      call    _vsprintf

Here an unauthenticated, remote attacker can send a large amount of data to overflow a 0x800-byte stack buffer via the vsprintf function.

Exception and exploitability shown in Windbg:

0:007> g
ModLoad: 005e0000 005f0000   C:\WebAccess\Node\viewsrv.dll
(de0.c44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000000 ecx=01e16fb8 edx=01e01b4c esi=00000000 edi=00892760
eip=41414141 esp=0298eae8 ebp=0298f730 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
41414141 ??              ???
0:007> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0298eae4 41414141 41414141 41414141 41414141 0x41414141
01 0298f730 00404a4e 00002925 00000900 00892760 0x41414141
02 0298f9cc 00402c75 00878fd8 02c920f0 00011385 webvrpcs+0x4a4e
03 0298fa18 00401198 00878fd8 02c920f0 00011385 webvrpcs+0x2c75
04 0298fb44 778e5fda 0087909c d0b9292e 0087f628 webvrpcs+0x1198
05 0298fb7c 778e647b 00401000 0087909c 0298fc20 RPCRT4!DispatchToStubInCNoAvrf+0x46
06 0298fbd4 778e6355 00000000 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x158
07 0298fbf8 77927e6d 0087909c 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStub+0x90
08 0298fc84 779281bc 00000000 00878fd8 00879054 RPCRT4!OSF_SCALL::DispatchHelper+0x23f
09 0298fc98 77928401 00000000 00892738 00878fd8 RPCRT4!OSF_SCALL::DispatchRPCCall+0xf5
0a 0298fcc4 779289a0 00892738 0300092c 00000001 RPCRT4!OSF_SCALL::ProcessReceivedPDU+0x223
0b 0298fce4 77928b9c 00892738 0000092c 0000000c RPCRT4!OSF_SCALL::BeginRpcCall+0x123
0c 0298fd40 7793747f 00000000 00892738 0000092c RPCRT4!OSF_SCONNECTION::ProcessReceiveComplete+0x1e1
0d 0298fd54 7794bf8f 00895890 0000000c 00000000 RPCRT4!ProcessConnectionServerReceivedEvent+0x1c
0e 0298fd78 7794c188 00895890 0000000c 00000000 RPCRT4!DispatchIOHelper+0x46
0f 0298fdb0 75af818c 0000052c 00000000 0087e058 RPCRT4!CO_ConnectionThreadPoolCallback+0x120
10 0298fdd4 77df4cd6 0298fe74 00872370 0087e058 KERNELBASE!BasepTpIoCallback+0x2f
11 0298fe30 77dcfb5b 0298fe74 008603e8 0087e058 ntdll!TppIopExecuteCallback+0x1c5
12 0298ff88 758d343d 008725b0 0298ffd4 77db9832 ntdll!TppWorkerThread+0x594
13 0298ff94 77db9832 008725b0 75606122 00000000 kernel32!BaseThreadInitThunk+0xe
14 0298ffd4 77db9805 77dd04bc 008725b0 ffffffff ntdll!__RtlUserThreadStart+0x70
15 0298ffec 00000000 77dd04bc 008725b0 00000000 ntdll!_RtlUserThreadStart+0x1b
0:007> .load msec.dll
0:007> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000041414141 called from webvrpcs+0x0000000000004a4e (Hash=0xdd0ef56a.0xbb1bd46e)

User mode DEP access violations are exploitable.

Solution

Upgrade to WebAccess/SCADA 8.4.3.

Disclosure Timeline

09/16/2019 - Vulnerability discovered
10/16/2019 - Disclosed to [email protected]. 90 day is Jan 14, 2020.
10/17/2019 - Advantech acknowledges.
11/01/2019 - Advantech advises Tenable that they are realsing on Nov. 8, 2019.
12/03/2019 - Tenable confirms the fix in 8.4.3.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2019-3951
Tenable Advisory ID: TRA-2019-52
CVSSv2 Base / Temporal Score:
10.0 / 7.8
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
Affected Products:
Advantech WebAccess/SCADA 8.4.2
Risk Factor:
Critical

Advisory Timeline

12/11/2019 - [R1] Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training