module
TeeChart Professional ActiveX Control Trusted Integer Dereference
| Disclosed | Created |
|---|---|
| Aug 11, 2011 | May 30, 2018 |
Disclosed
Aug 11, 2011
Created
May 30, 2018
Description
This module exploits an integer overflow in TeeChart Pro ActiveX control. When
sending an overly large/negative integer value to the AddSeries() property of
TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the
value and is later directly trusted and called upon.
This module has been designed to bypass DEP only under IE8 with Java support. Multiple
versions (including the latest version) are affected by this vulnerability that date
back to as far as 2001.
The following controls are vulnerable:
TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);
TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);
TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);
TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);
TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).
The controls are deployed under several SCADA based systems including:
Unitronics OPC server v1.3;
BACnet Operator Workstation Version 1.0.76
sending an overly large/negative integer value to the AddSeries() property of
TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the
value and is later directly trusted and called upon.
This module has been designed to bypass DEP only under IE8 with Java support. Multiple
versions (including the latest version) are affected by this vulnerability that date
back to as far as 2001.
The following controls are vulnerable:
TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);
TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);
TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);
TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);
TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).
The controls are deployed under several SCADA based systems including:
Unitronics OPC server v1.3;
BACnet Operator Workstation Version 1.0.76
Authors
mr_me steventhomasseeley@gmail.com
sinn3r sinn3r@metasploit.com
sinn3r sinn3r@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.