( , ) (, . `.' ) ('. ', ). , ('. ( ) ( (_,) .`), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _='`"``=. presents.. ICONICS WebHMI ActiveX Stack Overflow Vendor Link: http://www.iconics.com/ PDF: http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf +-----------+ |Description| +-----------+ ICONICS Genesis32 is a suite of OPC, SNMP, BACnet and Web-enabled HMI and SCADA applications. A stack overflow was found in an ActiveX control required by the WebHMI interface. This condition can be used to gain command execution. The affected control is 'GenVersion.dll' and has the ClassID of {CEFF5F48-BD2E-4D10-BAE5-AF729975E223}. This control is marked safe for scripting. +------------+ |Exploitation| +------------+ Exploitation of this vulnerability requires a user with the ActiveX control installed to visit a page containing specially crafted JavaScript. Users can generally be lured to visit web pages via email, instant message or links on the internet. By passing a specially crafted string to the "SetActiveXGUID" method, it is possible to overflow a static buffer and execute arbitrary code on the user's machine with the privileges of the logged on user. Security-Assessment.com constructed a JavaScript ROP exploit as proof of concept. +----------------------------+ |Proof of Concept ROP Exploit| +----------------------------+ ICONICS WEBHMI ACTIVEX BOF ROP XPSP3 +--------+ |Solution| +--------+ ICONICS validated this security issue and updated the WebHMI software product to address this issue. The fix is incorporated in the version 9.22 releases of GENESIS32, GENESIS64 and BizViz. Security-Assessment.com recommends updating to the latest version provided by the vendor. +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.