BroadWin WebAccess SCADA Client ActiveX Format String

Added: 12/12/2011
OSVDB: 74897

Background

BroadWin WebAccess is a web-based SCADA reporting and control solution.

Problem

BroadWin WebAccess installs an ActiveX Control in the user's browser. The OcxSpool() function of this control accepts a parameter that is evaluated using a format string. A format string vulnerability exists that allows a malicious website to pass a specially formatted value to this function. This may result in memory corruption and can allow the attacker to control execution on the user's system.

Resolution

The vulnerable ActiveX control may be disabled through Internet Explorer by following these Microsoft instructions. The CLSID for the vulnerable control is 5c2a52bd-2250-4f6b-a4d2-d1d00fcd748c.

References

http://broadwin.com/Client.htm
http://secunia.com/advisories/45820/

Limitations

This exploit has been tested against Broadwin Technology WebAccess Client 7.0 on Windows XP SP3 English (DEP OptIn).

Platforms

Windows

Back to exploit index