CVE-2014-100015
published 2015-01-13CVE-2014-100015: Directory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. (dot dot) in…
PriorityP262medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
57.37%
99.0th percentile
Directory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. (dot dot) in the filename in a file upload.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solidworks | product_data_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x2E\x00\x2E\x00\x5C\x00\x2E\x00\x2E\x00\x5C\x00\x74\x00\x65\x00\x73\x00\x74\x00
- →Detect exploit traffic by matching the 4-byte opcode \xD0\x07\x00\x00 at the start of a TCP stream on port 30000, followed by a filename field containing null-byte-padded dot-dot sequences (..\) indicating directory traversal. ↗
- →Monitor port 30000/TCP for inbound connections to pdmwService.exe; any file upload request containing '..' (dot dot) in the filename field is indicative of exploitation. ↗
- →Alert on unexpected .exe or .mof files written to the Windows Startup folder for all users or to \WINDOWS\system32\wbem\mof\ by pdmwService.exe, as these are the payload delivery paths used by the Metasploit module. ↗
- →The Metasploit module uses a traversal depth of 10 (default) '..\' sequences in the filename; network signatures should account for repeated null-byte-padded '..\' patterns in the filename field of the protocol. ↗
- →Every character in the filename is followed by 0x00 (UTF-16LE encoding); detection should parse the filename field as wide-character strings when inspecting for traversal sequences. ↗
- ·The exploit targets port 30000/TCP by default; ensure network monitoring covers this non-standard port on hosts running pdmwService.exe. ↗
- ·The traversal depth is configurable in the Metasploit module (default 10); signatures relying on a fixed number of '..\ ' repetitions may miss exploitation attempts using non-default depths. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SolidWorks Workgroup PDM 2014 - 'pdmwService.exe' Arbitrary File Write (Metasploit)
exploitdb·2014-03-10
CVE-2014-100015 SolidWorks Workgroup PDM 2014 - 'pdmwService.exe' Arbitrary File Write (Metasploit)
SolidWorks Workgroup PDM 2014 - 'pdmwService.exe' Arbitrary File Write (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write',
'Description' => %q{
This module exploits a remote arbitrary file write vulnerability in
SolidWorks Workgroup PDM 2014 SP2 and prior.
For targets running Windows Vista or newer the payload is written to the
startup folder for all users and executed upon next user logon.
For targets before Windows Vista code execution can be achieved by first
uploading the payload as an exe file, and then upload another mof file,
which schedules WMI to execute the uploaded pay
Exploit-DB
SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write
exploitdb·2014-02-22
CVE-2014-100015 SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write
SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write
---
'''
# Title: SolidWorks Workgroup PDM 2014 SP2 Arbitrary File Write Vulnerability
# Date: 2-21-2014
# Author: Mohamed Shetta
Email: mshetta |at| live |dot| com
# Vendor Homepage: http://www.solidworks.com/sw/products/product-data-management/workgroup-pdm.htm
# Tested on: Windows 7
#Vulnerability type: Arbitrary File Write
#Vulnerable file: pdmwService.exe
#PORT: 30000
Software Description:
SolidWorks
Workgroup PDM is a PDM tool that allows SolidWorks users operating in
teams of 10 members or less to work on designs concurrently. With
SolidWorks PDM Workgroup, designers can search, revise, and vault CAD
data while maintaining an accurate design history.
Vulnerability Details:
This vulnerability allows remote attackers to w
Metasploit
SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
metasploit
SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
This module exploits a remote arbitrary file write vulnerability in SolidWorks Workgroup PDM 2014 SP2 and prior. For targets running Windows Vista or newer the payload is written to the startup folder for all users and executed upon next user logon. For targets before Windows Vista code execution can be achieved by first uploading the payload as an exe file, and then upload another mof file, which schedules WMI to execute the uploaded payload. This module has been tested successfully on SolidWorks Workgroup PDM 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).
No writeups or analysis indexed.
http://packetstormsecurity.com/files/125361http://www.exploit-db.com/exploits/31831http://www.exploit-db.com/exploits/32163https://exchange.xforce.ibmcloud.com/vulnerabilities/91518http://packetstormsecurity.com/files/125361http://www.exploit-db.com/exploits/31831http://www.exploit-db.com/exploits/32163https://exchange.xforce.ibmcloud.com/vulnerabilities/91518
2015-01-13
Published