This module exploits an integer overflow in TeeChart Pro ActiveX control. When
sending an overly large/negative integer value to the AddSeries() property of
TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the
value and is later directly trusted and called upon.
This module has been designed to bypass DEP only under IE8 with Java support. Multiple
versions (including the latest version) are affected by this vulnerability that date
back to as far as 2001.
The following controls are vulnerable:
TeeChart5.ocx Version 184.108.40.206 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);
TeeChart6.ocx Version 220.127.116.11 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);
TeeChart7.ocx Version 18.104.22.168 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);
TeeChart8.ocx Version 22.214.171.124 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);
TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).
The controls are deployed under several SCADA based systems including:
Unitronics OPC server v1.3;
BACnet Operator Workstation Version 1.0.76
- mr_me <firstname.lastname@example.org>
- sinn3r <email@example.com>