Advisory Details

January 8th, 2016

(0Day) Proface GP-Pro EX D-Script Heap Buffer Overflow Remote Code Execution Vulnerability

ZDI-16-006
ZDI-CAN-2990

CVE ID
CVSS SCORE 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)
AFFECTED VENDORS Proface
AFFECTED PRODUCTS GP-Pro EX
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 20070. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Proface GP-Pro EX. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of D-Script data by ParseAPI.dll. When processing a malformed file, it is possible to write D-Script data beyond the bounds of a heap buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the process.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

06/25/2015 - ZDI disclosed 4 cases to ICS-CERT
06/25/2015 - ICS-CERT acknowledged and provided the ZDI an ICS-VU#
10/03/2015 - ZDI asked for an update from ICS-CERT and reminded of the 10/23/2015 due date, asking if a short extension was needed
There was no reply but ZDI granted an extension for the cases.
12/09/2015 - ZDI wrote to ICS-CERT to ask the status and notify of the intent to 0-day the reports at EOY

-- Mitigation:

Given the stated purpose of Proface GP-Pro, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application to trusted files.

-- Vendor Response Link:

http://www.schneider-electric.com/ww/en/download/document/SEVD-2016-074-01


DISCLOSURE TIMELINE
  • 2015-06-25 - Vulnerability reported to vendor
  • 2016-01-08 - Coordinated public release of advisory
CREDIT Steven Seeley of Source Incite
BACK TO ADVISORIES