CVE-2014-2364
published 2014-07-19CVE-2014-2364: Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1)…
PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
61.38%
99.1th percentile
Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9) ServerResponse, (10) SetBaud, or (11) IPAddress parameter to an ActiveX control in (a) webvact.ocx, (b) dvs.ocx, or (c) webdact.ocx.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | advantech_webaccess | <= 7.1 | — |
| advantech | advantech_webaccess | — | — |
| advantech | advantech_webaccess | — | — |
| advantech | advantech_webaccess | — | — |
| advantech | webaccess | <= 7.1 | — |
| gnu | bash | >= 0 < 4.3-7ubuntu1.5 | 4.3-7ubuntu1.5 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x9c\xff\xff\xff
bytes↗
\x64\xa1\x18\x00\x00\x00\x83\xC0\x08\x8b\x20\x81\xC4\x30\xF8\xFF\xFF
- →Detect ActiveX instantiation of the dvs.ocx control by its CLSID {5CE92A27-9F6A-11D2-9D3D-000001155641} followed by a call to the GetColor method with an oversized string argument (offset of 61 bytes before ROP chain). ↗
- →Monitor for stack-pivot shellcode prepend sequence 0x81 0xC4 0x9C 0xFF 0xFF 0xFF (add esp, -100) in browser process memory or network payloads, indicative of the exploit encoder stub. ↗
- →Alert on ROP gadgets sourced from ijl11.dll (base 0x60010000 range) being chained in heap/stack memory of iexplore.exe, particularly addresses 0x6001f1c8, 0x60012288, 0x6002157e, 0x60022b97, 0x60024ea4, 0x60029f6c, 0x600250c8, 0x60018399. ↗
- →Detect HTTP responses containing the CLSID string '5CE92A27-9F6A-11D2-9D3D-000001155641' combined with a JavaScript call to GetColor with a long alphanumeric string argument (>61 chars), delivered with 'Pragma: no-cache' header. ↗
- →Flag authentication bypass attempts against Advantech WebAccess where HTTP cookies contain user, proj, scada parameters with bwuser=true, targeting pages under broadweb/include/gChkCook.asp. ↗
- →Monitor for post-exploitation process migration activity (migrate -f) spawned from iexplore.exe, consistent with the Metasploit module's InitialAutoRunScript. ↗
- →Exploit targets Internet Explorer (MSIE user-agent) on Windows; alert on IE processes loading dvs.ocx, webvact.ocx, or webdact.ocx from non-standard paths. ↗
- ·The Metasploit ROP chain uses gadgets specifically from ijl11.dll version 1.1.2.16; the exploit will fail against targets with a different version of this DLL, limiting reliable exploitation to specific patch levels. ↗
- ·The exploit payload bad characters exclude null bytes, newlines, carriage returns, and backslashes (\x00\x0a\x0d\x5c), so any detection or emulation must account for encoded payloads avoiding these bytes. ↗
- ·The module was tested only on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8/IE9; reliability on other OS/browser combinations is unconfirmed. ↗
- ·Affected versions are Advantech WebAccess v7.1 and earlier; v7.2 (released June 6, 2014) removes or patches the vulnerable ActiveX components, so detections targeting the OCX files are only relevant on unpatched deployments. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wc68-m5j4-wxr7: Multiple stack-based buffer overflows in Advantech WebAccess before 7
ghsa_unreviewed·2022-05-17
CVE-2014-2364 [HIGH] CWE-119 GHSA-wc68-m5j4-wxr7: Multiple stack-based buffer overflows in Advantech WebAccess before 7
Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9) ServerResponse, (10) SetBaud, or (11) IPAddress parameter to an ActiveX control in (a) webvact.ocx, (b) dvs.ocx, or (c) webdact.ocx.
OSV
bash vulnerabilities
osv·2014-10-09·CVSS 10.0
CVE-2014-6277 bash vulnerabilities
bash vulnerabilities
Michal Zalewski discovered that Bash incorrectly handled parsing certain
function definitions. If an attacker were able to create an environment
variable containing a function definition with a very specific name, these
issues could possibly be used to bypass certain environment restrictions
and execute arbitrary code. (CVE-2014-6277, CVE-2014-6278)
Please note that the previous Bash security update, USN-2364-1, includes
a hardening measure that prevents these issues from being used in a
Shellshock attack.
CISA ICS
Advantech WebAccess Vulnerabilities
cisa_ics·2018-09-06
Advantech WebAccess Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Advantech WebAccess Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-198-02
## OVERVIEW
NCCIC/ICS-CERT received a report from the Zero Day Initiative (ZDI) concerning vulnerabilities affecting the Advantech WebAccess application. These vulnerabilities were reported to ZDI by security researchers Dave Weinstein, Tom Gallagher, John Leitch, and others. Advantech has produced an updated software version that mitigates these vulnerabilities.
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are known to be publicly availab
No detection rules found.
Exploit-DB
Advantech Webaccess - dvs.ocx GetColor Buffer Overflow (Metasploit)
exploitdb·2014-09-24
CVE-2014-2364 Advantech Webaccess - dvs.ocx GetColor Buffer Overflow (Metasploit)
Advantech Webaccess - dvs.ocx GetColor Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in Advantec WebAccess. The
vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to
sprintf can be reached with user controlled data through the GetColor function.
This module has been tested successfully on Windows XP SP3 with IE6 and Windows
7 SP1 with IE8 and IE 9.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References'
Metasploit
Advantech WebAccess dvs.ocx GetColor Buffer Overflow
metasploit
Advantech WebAccess dvs.ocx GetColor Buffer Overflow
Advantech WebAccess dvs.ocx GetColor Buffer Overflow
This module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This module has been tested successfully on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8 and IE 9.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/128384/Advantech-WebAccess-dvs.ocx-GetColor-Buffer-Overflow.htmlhttp://webaccess.advantech.com/http://www.securityfocus.com/bid/68714https://www.cisa.gov/news-events/ics-advisories/icsa-14-198-02http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02http://packetstormsecurity.com/files/128384/Advantech-WebAccess-dvs.ocx-GetColor-Buffer-Overflow.htmlhttp://www.securityfocus.com/bid/68714
2014-07-19
Published