Advisory Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within processing of the UpdateShapeGeo method within the UCCHMI.UCCHMICtrl.1 ActiveX control. The process does not properly validate a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

08/17/16 - ZDI disclosed the vulnerability reports to ICS-CERT.
08/18/16 - ICS-CERT responded with acknowledgement of receipt of the reports and an ICS-VU#, ICS-VU-763693.
06/02/17 - ZDI requested the status of these reports.
06/02/17 - ICS-CERT responded that: "We have not been able to make contact with anyone from this company. We have tried many times, but have never received any response back."
06/02/17 - ZDI replied that we are "moving these to 0-day later this month."

-- Mitigation:
The killbit can be set on this control to disable scripting within Internet Explorer by modifying the data value of the Compatibility Flags DWORD within the following location in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF
If the Compatibility Flags value is set to 0x00000400, the control can no longer be instantiated inside the browser.
For more information, please see: http://support.microsoft.com/kb/240797

• 2016-08-17 - Vulnerability reported to vendor
• 2017-08-30 - Coordinated public release of advisory