Microsys Promotic Directory Traversal and ActiveX Control Buffer Overflow Vulnerabilities
October 13, 2011
Luigi Auriemma has discovered multiple vulnerabilities in
PROMOTIC, which can be exploited by malicious people to
disclose potentially sensitive information and compromise a
user's system.
1) Input passed via the URL within the "/webdir/" directory
is not properly verified before being used to read files and
can be exploited to disclose arbitrary files via directory
traversal attacks.
2) A boundary error in the "SaveCfg()" method within the
PmTrendViewer ActiveX control can be exploited to cause a
stack-based buffer overflow via an overly long string passed
in the "vCfg" parameter.
3) A boundary error in the "AddTrend()" method within the
PmTrendViewer ActiveX control can be exploited to cause a
heap-based buffer overflow via an overly long string passed
in the "sID" parameter.
Successful exploitation of vulnerabilities #2 and #3 allows
execution of arbitrary code.
The vulnerabilities are confirmed in version 8.1.3. Other
versions may also be affected.