Advantech BroadWin WebAccess ActiveX Vulnerability
November 2, 2011
Security research Shahriyar Jalayeri has discovered
additional vulnerabilities in Advantech BroadWin WebAccess Client,
which can be exploited by malicious people to compromise a
user's system. These are in addition to those
previously discovered by Luigi Auriemma as disclosed on
September 2, 2011 and covered in
Multiple ActiveX Vulnerabilities in Advantech
BroadWin WebAccess Client.
1) A format string error in the "OcxSpool()" method
(bwocxrun.ocx) can be exploited to corrupt memory via a
specially crafted string. [Luigi Auriemma]
2) An error in the "WriteTextData()" method (bwocxrun.ocx)
when handling an open file descriptor can be exploited to
corrupt memory by passing an arbitrary integer value in the
"fpt" parameter. [Luigi Auriemma]
3) An error in the "CloseFile()" method (bwocxrun.ocx) when
handling an open file descriptor can be exploited to corrupt
memory by passing an arbitrary integer value in the "fpt"
parameter. [Luigi Auriemma]
Successful exploitation of these vulnerabilities may allow
execution of arbitrary code.
4) The insecure "CreateFile()" method (bwocxrun.ocx) can be
exploited to create arbitrary files in the context of the
currently logged-on user. [Shahriyar Jalayeri]
Successful exploitation of this vulnerability allows
execution of arbitrary code when used together with the
"WriteTextData()" method to create arbitrary content.
The vulnerabilities are confirmed in bwocxrun.ocx version
1.0.0.10 included in WebAccess Client version 7.0. Other
versions may also be affected.