CVE-2013-0108
published 2013-02-24CVE-2013-0108: An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and…
PriorityP352medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
26.64%
97.8th percentile
An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HMIWeb Browser client packages allows remote attackers to execute arbitrary code via a crafted HTML document.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| honeywell | comfortpoint_open_manager_station | — | — |
| honeywell | enterprise_buildings_integrator | — | — |
| honeywell | enterprise_buildings_integrator | — | — |
| honeywell | enterprise_buildings_integrator | — | — |
| honeywell | enterprise_buildings_integrator | — | — |
| honeywell | symmetre | — | — |
| honeywell | symmetre | — | — |
| honeywell | symmetre | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ActiveX instantiation of HscRemoteDeploy.dll's LaunchInstaller() method being called from a browser context, particularly with a remote URI argument pointing to an .hta file. ↗
- →Monitor HTTP responses serving content with Content-Type 'application/hta', especially when preceded by a request to a path matching /SystemDisplays/RemoteInstallWelcome.hta — a pattern used by the Metasploit exploit module. ↗
- →Alert on MSIE User-Agent strings in requests for .hta resources; the exploit module explicitly rejects non-MSIE browsers, so MSIE UA + .hta fetch is a strong signal. ↗
- ·The exploit only works against Internet Explorer; non-MSIE browsers are explicitly rejected by the Metasploit module, limiting the attack surface to IE-based clients. ↗
- ·Social engineering is required; the attacker must convince the user to visit a malicious site or click a link, reducing the likelihood of successful exploitation. ↗
- ·HscRemoteDeploy.dll is not used for runtime functions and can be disabled without impacting operations; it is only needed for initial HMIWeb Browser client installation/upgrade. ↗
- ·A Microsoft kill bit was requested for HscRemoteDeploy.dll; systems using Windows Update may have the DLL automatically disabled via a Microsoft Patch Tuesday security update. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gqjf-wvw9-g6pm: An ActiveX control in HscRemoteDeploy
ghsa_unreviewed·2022-05-05
CVE-2013-0108 [MEDIUM] CWE-94 GHSA-gqjf-wvw9-g6pm: An ActiveX control in HscRemoteDeploy
An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HMIWeb Browser client packages allows remote attackers to execute arbitrary code via a crafted HTML document.
CISA ICS
Honeywell EBI, SymmetrE, and ComfortPoint Open Manager Station (Update A)
cisa_ics·2013-02-22
Honeywell EBI, SymmetrE, and ComfortPoint Open Manager Station (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Honeywell EBI, SymmetrE, and ComfortPoint Open Manager Station (Update A)
Last RevisedSeptember 06, 2018
Alert CodeICSA-13-053-02A
## Overview
This updated advisory is a follow-up to the original advisory titled ICSA-13-053-02--Honeywell Enterprise Buildings Integrator (EBI), SymmetrE, and ComfortPoint Open Manager Station that was published February 22, 2013, on the ICS-CERT Web page.
This advisory provides mitigation details for a vulnerability that impacts the Honeywell EBI.
Independent researcher Juan Vazquez of Rapid7 privately disclosed an ActiveX vulnerability in the Ho
No detection rules found.
Exploit-DB
Honeywell HSC Remote Deployer - ActiveX Remote Code Execution (Metasploit)
exploitdb·2013-03-13
CVE-2013-0108 Honeywell HSC Remote Deployer - ActiveX Remote Code Execution (Metasploit)
Honeywell HSC Remote Deployer - ActiveX Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Honeywell HSC Remote Deployer ActiveX Remote Code Execution",
'Description' => %q{
This modules exploits a vulnerability found in the Honewell HSC Remote Deployer
ActiveX. This control can be abused by using the LaunchInstaller() function to
execute an arbitrary HTA from a remote location. This module has been tested
successfully with the HSC Remote Deployer ActiveX installed with HoneyWell EBI
R410.1.
},
'License' => M
Metasploit
Honeywell HSC Remote Deployer ActiveX Remote Code Execution
metasploit
Honeywell HSC Remote Deployer ActiveX Remote Code Execution
Honeywell HSC Remote Deployer ActiveX Remote Code Execution
This module exploits a vulnerability found in the Honeywell HSC Remote Deployer ActiveX. This control can be abused by using the LaunchInstaller() function to execute an arbitrary HTA from a remote location. This module has been tested successfully with the HSC Remote Deployer ActiveX installed with Honeywell EBI R410.1.
No writeups or analysis indexed.
2013-02-24
Published