CVE-2014-0750
published 2014-01-25CVE-2014-0750: Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24…
PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
70.22%
99.3th percentile
Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ge | intelligent_platforms_proficy_hmi_2fscada_cimplicity | <= 8.2 | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | proficy_hmi_scada_cimplicity | >= 4.01 < 8.2 | 8.2 |
| ge | proficy_process_systems_with_cimplicity | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests to /CimWeb/gefebt.exe — a successful response with 'Usage.*gefebt\.exe' in the body indicates a vulnerable/exposed endpoint. ↗
- →Monitor for inbound WebDAV PROPFIND and OPTIONS requests to port 80 from the CIMPLICITY server, which indicates the exploit is fetching remote BCL payload files. ↗
- →Alert on HTTP requests to /CimWeb/*.bcl — the exploit fetches remotely-hosted BCL files via UNC/WebDAV paths passed to gefebt.exe to achieve code execution. ↗
- →Monitor for outbound SMB/WebDAV connections originating from the CIMPLICITY CimWebServer process (gefebt.exe) to external hosts, indicating UNC path traversal exploitation. ↗
- →Detect HTTP GET requests to /CimWeb/<random>.exe following BCL execution — this is the final stage where the dropped payload EXE is executed via the WebView server. ↗
- ·The exploit requires SRVPORT=80 and URIPATH='/' when using the WebDAV delivery method; deviating from these breaks the attack chain. ↗
- ·If the target host does not have the WebClient service enabled, the attacker must use an external SMB server instead of WebDAV to serve the malicious BCL files. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
GE Proficy Vulnerabilities
cisa_ics·2018-09-06
GE Proficy Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
GE Proficy Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-023-01
## OVERVIEW
Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.
These vulnerabilities could be exploited remotely.
## AFFECTED PRODUCTS
The following GE Intelligent Platforms products are affected:
-
GHSA
GHSA-32h5-mfcc-v69p: Directory traversal vulnerability in gefebt
ghsa_unreviewed·2022-05-17
CVE-2014-0750 [HIGH] CWE-22 GHSA-32h5-mfcc-v69p: Directory traversal vulnerability in gefebt
Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.
No detection rules found.
Exploit-DB
GE Proficy CIMPLICITY - 'gefebt.exe' Remote Code Execution (Metasploit)
exploitdb·2014-02-28
CVE-2014-0750 GE Proficy CIMPLICITY - 'gefebt.exe' Remote Code Execution (Metasploit)
GE Proficy CIMPLICITY - 'gefebt.exe' Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'GE Proficy CIMPLICITY gefebt.exe Remote Code Execution',
'Description' => %q{
This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the
CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in
shared resources. An attacker can abuse this behaviour to execute a malicious BCL and
drop an arbitrary EXE. The last one can be executed remotely through the WebView server.
This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded
CimWebServer. This module
Metasploit
GE Proficy CIMPLICITY gefebt.exe Remote Code Execution
metasploit
GE Proficy CIMPLICITY gefebt.exe Remote Code Execution
GE Proficy CIMPLICITY gefebt.exe Remote Code Execution
This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in shared resources. An attacker can abuse this behavior to execute a malicious BCL and drop an arbitrary EXE. The last one can be executed remotely through the WebView server. This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. If the target does not have the WebClient service enabled, an external SMB service is necessary.
No writeups or analysis indexed.
http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939http://www.securityfocus.com/bid/65124https://www.cisa.gov/news-events/ics-advisories/icsa-14-023-01http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939http://www.securityfocus.com/bid/65124
2014-01-25
Published