Advisory Details

August 30th, 2017

(0Day) UCanCode E-XD++ Visualization Enterprise Suite UCCHMI UpdateShapeGeo Untrusted Pointer Dereference Remote Code Execution Vulnerability

ZDI-17-426
ZDI-CAN-3885

CVE ID
CVSS SCORE 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)
AFFECTED VENDORS UCanCode
AFFECTED PRODUCTS E-XD++ Visualization Enterprise Suite
TIPPINGPOINT™ IPS CUSTOMER PROTECTION TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 25234. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within processing of the UpdateShapeGeo method within the UCCHMI.UCCHMICtrl.1 ActiveX control. The process does not properly validate a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.

VENDOR RESPONSE UCanCode states:


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

08/17/16 - ZDI disclosed the vulnerability reports to ICS-CERT.
08/18/16 - ICS-CERT responded with acknowledgement of receipt of the reports and an ICS-VU#, ICS-VU-763693.
06/02/17 - ZDI requested the status of these reports.
06/02/17 - ICS-CERT responded that: "We have not been able to make contact with anyone from this company. We have tried many times, but have never received any response back."
06/02/17 - ZDI replied that we are "moving these to 0-day later this month."

-- Mitigation:
The killbit can be set on this control to disable scripting within Internet Explorer by modifying the data value of the Compatibility Flags DWORD within the following location in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF
If the Compatibility Flags value is set to 0x00000400, the control can no longer be instantiated inside the browser.
For more information, please see: http://support.microsoft.com/kb/240797


DISCLOSURE TIMELINE
  • 2016-08-17 - Vulnerability reported to vendor
  • 2017-08-30 - Coordinated public release of advisory
CREDIT rgod
BACK TO ADVISORIES