CVE-2014-0773

EUVD-2014-0804

12.04.2014, 04:37

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named 
“CreateProcess.” This method contains validation to ensure an attacker 
cannot run arbitrary command lines. After validation, the values 
supplied in the HTML are passed to the Windows CreateProcessA API.


The validation can be bypassed allowing for running arbitrary command
 lines. The command line can specify running remote files (example: UNC 
command line).


A function exists at offset 100019B0 of bwocxrun.ocx. Inside this 
function, there are 3 calls to strstr to check the contents of the user 
specified command line. If “\setup.exe,” “\bwvbprt.exe,” or 
“\bwvbprtl.exe” are contained in the command line (strstr returns 
nonzero value), the command line passes validation and is then passed to
 CreateProcessA.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Score

CVSS 3.x

EPSS Score

Percentile: 59%

Affected Products (NVD)

Vendor	Product	Version
advantech	advantech_webaccess	𝑥 ≤ 7.1
advantech	advantech_webaccess	5.0
advantech	advantech_webaccess	6.0
advantech	advantech_webaccess	7.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

http://webaccess.advantech.com/

http://www.securityfocus.com/bid/66740

https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03

http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03