Broadwin WebAccess Client Format String Attack (Sept 8, 2011)


Supervisory Control and Data Acquisition (SCADA), generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes. A SCADA system usually consists of the following subsystems: a human-machine interface or HMI, a supervisory (computer) system, remote terminal units (RTUs) connecting to sensors in the process, Programmable logic controller (PLCs) used as field devices and communication infrastructure. Broadwin Technology is one of the vendors that manufacture SCADA systems. Browser-based Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) software are two of their main products.

Broadwin’s WebAccess is the client component of their SCADA system. It provides an ActiveX component designed to run in an Internet Explorer (IE) session. The ActiveX control is associated with CLSID “5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C”, and ProgID “BWOCXRUN.BwocxrunCtrl.1”. It can be instantiated in a web page using the tag or via scripting. The following example demonstrate how this ActiveX control can be instantiated:

A format string code execution vulnerability exists in the Broadwin Technology’s WebAccess client ActiveX component nbwocxrun.ocx. The vulnerability is due to insufficient input validation when handling one of the parameters in calls to the BWOCXRUN.BwocxrunCtrl.1 method. A remote unauthenticated attacker can exploit this vulnerability by enticing a target client to view a crafted HTML document, ASP page, or various other media. Successful exploitation could result in execution of arbitrary code within the security context of the target user.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to prevent/detect attacks addressing this vulnerability.

  • 1801 Broadwin WebAccess Client Format String Attack

This vulnerability has not been assigned with an ID by CVE.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Pin It on Pinterest