October 13, 2011

Luigi Auriemma has discovered multiple vulnerabilities in PROMOTIC, which can be exploited by malicious people to disclose potentially sensitive information and compromise a user's system.

1) Input passed via the URL within the "/webdir/" directory is not properly verified before being used to read files and can be exploited to disclose arbitrary files via directory traversal attacks.

2) A boundary error in the "SaveCfg()" method within the PmTrendViewer ActiveX control can be exploited to cause a stack-based buffer overflow via an overly long string passed in the "vCfg" parameter.

3) A boundary error in the "AddTrend()" method within the PmTrendViewer ActiveX control can be exploited to cause a heap-based buffer overflow via an overly long string passed in the "sID" parameter.

Successful exploitation of vulnerabilities #2 and #3 allows execution of arbitrary code.

The vulnerabilities are confirmed in version 8.1.3. Other versions may also be affected.

ICS-ALERT-11-286-01

Promotic Product Info (English)

Luigi Auriemma PoC
Attackers can exploit the directory traversal vulnerability via a browser

Not available at this time.

Disclosure (Luigi Auriemma)
Open-Source Vulnerability Database #76395
Open-Source Vulnerability Database #76396
Open-Source Vulnerability Database #76397
Secunia Advisory #6430
Secunia Vulnerability Report and Statistics on Promotic 8.x
Secunia Vulnerability Report and Statistics on TrendsView ActiveX Control 1.x

SCADA Issues with MICROSYS (ISSSource)