Advisory Details

June 21st, 2017

(0Day) UCanCode E-XD++ Visualization Enterprise Suite UCCSIMPLE PositionShape Untrusted Pointer Dereference Remote Code Execution Vulnerability

ZDI-17-427
ZDI-CAN-3896

CVE ID
CVSS SCORE 6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P
AFFECTED VENDORS UCanCode
AFFECTED PRODUCTS E-XD++ Visualization Enterprise Suite
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['25355']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within processing of the PositionShape method within the UCCSIMPLE.UCCSIMPLECtrl.1 ActiveX control. The process does not properly validate a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

08/17/16 - ZDI disclosed the vulnerability reports to ICS-CERT.
08/18/16 - ICS-CERT responded with acknowledgement of receipt of the reports and an ICS-VU#, ICS-VU-763693.
06/02/17 - ZDI requested the status of these reports.
06/02/17 - ICS-CERT responded that: "We have not been able to make contact with anyone from this company. We have tried many times, but have never received any response back."
06/02/17 - ZDI replied that we are "moving these to 0-day later this month."

-- Mitigation:
The killbit can be set on this control to disable scripting within Internet Explorer by modifying the data value of the Compatibility Flags DWORD within the following location in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B
If the Compatibility Flags value is set to 0x00000400, the control can no longer be instantiated inside the browser.
For more information, please see: http://support.microsoft.com/kb/240797


DISCLOSURE TIMELINE
  • 2016-08-17 - Vulnerability reported to vendor
  • 2017-06-21 - Coordinated public release of advisory
CREDIT rgod
BACK TO ADVISORIES