Advisory Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WECON LeviStudio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists in the handling of LeviStudio Project files. By providing an overly long HmiSet Type XML attribute, an attacker can overflow a stack-based buffer and execute arbitrary code in the context of the current process.

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

12/07/2015 - ZDI disclosed multiple reports for this vendor to ICS-CERT
12/08/2015 - ICS-CERT acknowledged the reports and provided a single tracking number for all
02/15/2016 - ICS-CERT sent ZDI notification of vendor acknowledgement (on 1/20/2015)
03/01/2016 - ICS-CERT asked about ZDI's 'maturation policy,' in effect, 'would ZDI extend these out to 120-days from vendor acknowledgement?"
03/01/2016 - As ZDI's policy is based on the disclosure date to the vendor, ZDI replied, "they can be extended 60 days to 180 total days... early June."
03/25/2016 - ICS-CERT communicated that the vendor was working on the issue and another requestion from the vendor for extension
03/28/2016 - ZDI replied that June was the maximum allowable extension
04/18/2016 - The vendor, through ICS-CERT, requested ZDI feedback on proposed fix
04/28/2016 - The ZDI replied in the negative, that ZDI did not believe the proposed was a 'fix'
05/31/2016 - ZDI requested an update
06/22/2016 - ZDI notified ICS-CERT of the intention to disclose the reports as 0-day on 6/29/2016
06/27/2016 - ICS-CERT replied with an acknowledgement

-- Mitigation:
Given the stated purpose of WECON LeviStudio, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application to trusted files.

• 2015-12-07 - Vulnerability reported to vendor
• 2016-06-29 - Coordinated public release of advisory