2/03/2012

Advantech/Broadwin HMI/SCADA WebAccess(6.x.x, 7.x.x) universal network RPC exploit.

Name: Advantech/Broadwin HMI/SCADA WebAccess universal network RPC exploit.
Vendor: Advantech; Broadwin Technology INC.
Software: Advantech HMI/SCADA WebAccess; Broadwin HMI/SCADA WebAccess.
Affected version: 6.x.x, 7.x.x.
Platform: Windows based.
Type: Remote, Server-Side.
Dangerous level: High
Initial discovery: 07/16/2011
Status: Unpatched.
CVE: None.
Credits: amisto0x07, Z0mb1E.



[1] Description.


Current implementations of HMI contain a bug that allows to use some system services on affected remote system such as creation of files and processes and modification of files. Interaction with HMI executes over RPC interface which allows to call system services.

/** iface.idl */
/** webvrpcs.exe::sub_401000 allows to call system services such as
fopen, fclose, CreateProcess, find files. Also it allows
to interact with database by means of internal SQL-based methods
such as SQLExecute and others. */

void sub_401000 (
[in] handle_t arg_1, /** rpc handle */
[in] long arg_2, /** unique ptr to Connection object in memory of HMI process*/
[in] long arg_3, /** code of operation (creation of files and etc) */
[in] long arg_4, /** const value 1337 */
[in][ref][size_is(arg_4)] char * arg_5, /** buffer with parameters for service */
[in] long arg_6, /** sizeof buffer with parameters */
[out][ref][size_is(arg_6)] char * arg_7, /** buffer for results */
[out][ref] long * arg_8 /** variable for status indication */
);
The sub_403E30 is called during request handling. It directs the control into viewsrv.dll:VsDaqWebService routine or into drawsrv.dll::DsDaqWebService routine. First routine is called in case the type of client connection is 0. Second routine is called in case the type of client connection is 2. Both routines call specified system services depending on code of operation. For example, code (arg_3) must be 0x2779 in case of file creation request.

Before calling viewsrv.dll:VsDaqWebService (or drawsrv.dll::DsDaqWebService) the client connection object must be created on HMI by means of rpc method sub_4017C0. In other cases these methods aren't called.
/** iface.idl */
/** webvrpcs.exe::sub_4017C0 creates client connection object and
returns unique pointer to created object */

void sub_4017C0 (
[in] handle_t arg_1, /** rpc handle */
[in] long arg_2, /** client connection object type, must be 0 */
[out][ref][size_is(4)] char * arg_3, /** client data (may be empty) */
[out][ref] long * arg_4 /** pointer to created connection object */
);


[2] Exploit.


Currently exploit creates executable file and launches process on affected remote system.
Download source codes of exploit.
Password is webaccess.universal.exploit.rar@z%uxp!@#uzstxy!