CVE-2013-2827
published 2014-01-15CVE-2013-2827: An unspecified ActiveX control in WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 allows remote attackers to…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
49.23%
98.7th percentile
An unspecified ActiveX control in WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 allows remote attackers to download arbitrary DLL code onto a client machine and execute this code via the ProjectURL property value.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wellintech | kingalarm_event | <= 2.0.2 | — |
| wellintech | kinggraphic | <= 3.1 | — |
| wellintech | kingscada | <= 3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests matching the pattern /libs/*.dll being served from an attacker-controlled web server to KingScada clients — this is the delivery path for the malicious DLL payload in exploit modules targeting this CVE. ↗
- →Detect exploitation attempts by monitoring for the kxClientDownload.ocx ActiveX control being instantiated in Internet Explorer (MSIE) or the KingScada client browser (KXCLIE user-agent), especially when the ProjectURL property is set to a remote/external URL. ↗
- →Alert on LoadLibrary calls originating from the kxClientDownload.ocx process loading DLLs from user-writable or temp directories, which is the mechanism of code execution for this vulnerability. ↗
- →Monitor for process migration activity (migrate -f) immediately after browser-based exploitation, as the Metasploit module sets 'migrate -f' as the InitialAutoRunScript to escape the browser process. ↗
- ·Exploitation only succeeds when Internet Explorer Protected Mode is disabled; detections based on browser process behavior should account for this prerequisite. ↗
- ·The exploit targets Windows clients running Internet Explorer (MSIE) or the KingScada native client browser (KXCLIE); non-Windows or non-IE environments are not affected by this specific attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mprw-5m59-x962: An unspecified ActiveX control in WellinTech KingSCADA before 3
ghsa_unreviewed·2022-05-17
CVE-2013-2827 [HIGH] CWE-94 GHSA-mprw-5m59-x962: An unspecified ActiveX control in WellinTech KingSCADA before 3
An unspecified ActiveX control in WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 allows remote attackers to download arbitrary DLL code onto a client machine and execute this code via the ProjectURL property value.
CISA ICS
WellinTech Vulnerabilities
cisa_ics·2018-09-06
WellinTech Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
WellinTech Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-13-344-01
## OVERVIEW
This advisory was originally posted to the US-CERT secure Portal library on December 10, 2013, and is now being released to the NCCIC/ICS-CERT Web site.
NCCIC/ICS-CERT received reports from the Zero Day Initiative (ZDI) regarding a remote code execution vulnerability and an information disclosure vulnerability in WellinTech KingSCADA, KingAlarm&Event, and KingGraphic applications. These vulnerabilities were reported to ZDI by security researcher Andrea Micalizzi. WellinTech has produc
No detection rules found.
Exploit-DB
KingScada - kxClientDownload.ocx ActiveX Remote Code Execution (Metasploit)
exploitdb·2014-02-11
CVE-2013-2827 KingScada - kxClientDownload.ocx ActiveX Remote Code Execution (Metasploit)
KingScada - kxClientDownload.ocx ActiveX Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution',
'Description' => %q{
This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.
The ProjectURL property can be abused to download and load arbitrary DLLs from
arbitrary locations, leading to arbitrary code execution, because of a dangerous
usage of LoadLibrary. Due to the nature of the vulnerability, this module will work
only when Protected Mode is not present or not enabled.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrea Micaliz
Metasploit
KingScada kxClientDownload.ocx ActiveX Remote Code Execution
metasploit
KingScada kxClientDownload.ocx ActiveX Remote Code Execution
KingScada kxClientDownload.ocx ActiveX Remote Code Execution
This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada. The ProjectURL property can be abused to download and load arbitrary DLLs from arbitrary locations, leading to arbitrary code execution, because of a dangerous usage of LoadLibrary. Due to the nature of the vulnerability, this module will work only when Protected Mode is not present or not enabled.
No writeups or analysis indexed.
2014-01-15
Published