BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution

Title: BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution
Advisory ID: ZSL-2016-5296
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 19.01.2016
Summary
Engineering Tool for West Pro Series of controllers (KS20-1, KS92-1, TB40-1, KS800, KS816, Dig280-1, KS vario, CI45, KS45, SG45, TB45, RL400, Pro96, CAL4600).
Description
BlueControl suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (sortserver2003compat.dll, sxs.dll, cryptsp.dll, rpcrtremote.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application files (.BCD, .BCL, .BCT, .EDW, .E80) located on a remote WebDAV or SMB share.
Vendor
West Control Solutions - http://www.west-cs.com
Affected Version
3.5.SR5
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
N/A
PoC
bluecontrol_dllhijack.c
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://exchange.xforce.ibmcloud.com/vulnerabilities/109710
[2] https://cxsecurity.com/issue/WLB-2016010116
[3] https://packetstormsecurity.com/files/135316
[4] https://secunia.com/advisories/68412/
Changelog
[19.01.2016] - Initial release
[21.01.2016] - Added reference [1], [2] and [3]
[05.02.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk