TippingPoint Zero Day Initiative
 

(0Day) UCanCode E-XD++ Visualization Enterprise Suite UCCDRAW AddBoolUserProperty Untrusted Pointer Dereference Remote Code Execution Vulnerability

ZDI-17-430: June 21st, 2017

CVSS Score

Affected Vendors

    UCanCode

Affected Products

    E-XD++ Visualization Enterprise Suite

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 25352. For further product information on the TippingPoint IPS:

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within processing of the AddBoolUserProperty method within the UCCDRAW.UCCDrawCtrl.1 ActiveX control. The process does not properly validate a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.

Vendor Response

UCanCode states:


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

08/17/16 - ZDI disclosed the vulnerability reports to ICS-CERT.
08/18/16 - ICS-CERT responded with acknowledgement of receipt of the reports and an ICS-VU#, ICS-VU-763693.
06/02/17 - ZDI requested the status of these reports.
06/02/17 - ICS-CERT responded that: "We have not been able to make contact with anyone from this company. We have tried many times, but have never received any response back."
06/02/17 - ZDI replied that we are "moving these to 0-day later this month."

-- Mitigation:
The killbit can be set on this control to disable scripting within Internet Explorer by modifying the data value of the Compatibility Flags DWORD within the following location in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7
If the Compatibility Flags value is set to 0x00000400, the control can no longer be instantiated inside the browser.
For more information, please see: http://support.microsoft.com/kb/240797


Disclosure Timeline

    2016-08-17 - Vulnerability reported to vendor
    2017-06-21 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:
    Ariele Caltabiano (kimiya)