Art Systems FluidDraw P5/S5 5.3n Binary Planting Arbitrary Code Execution
Title: Art Systems FluidDraw P5/S5 5.3n Binary Planting Arbitrary Code Execution
Advisory ID: ZSL-2016-5295
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 17.01.2016
Festo AG & Co. KG - https://www.festo.com
FluidDraw P5 Professional 5.3n (5.3.385.0)
Microsoft Windows 7 Professional SP1 (EN)
[05.12.2015] Vendor contacted.
[16.01.2016] No response from the vendor.
[17.01.2016] Public security advisory released.
[2] https://packetstormsecurity.com/files/135307
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/109712
[18.01.2016] - Added reference [1]
[19.01.2016] - Added reference [2]
[21.01.2016] - Added reference [3]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5295
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 17.01.2016
Summary
Fluiddraw enables the creation of electrical and pneumatic circuit diagrams. The tool makes it easier to plan complete systems and implement individual components. Users access the Festo catalogue and their own imported databases and can thus benefit from evaluation functions and created assembly drawings. The software is part of Festo Engineering Tools, which provides users with electronic and continuous support in the entire process, from planning, selection, design and ordering up to delivery and commissioning.Description
FluidDraw suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (siappdll.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application files (.PRJ, .CIRC, .CT, .DXF, .SYM) located on a remote WebDAV or SMB share.Vendor
Art Systems Software GmbH - http://www.art-systems.comFesto AG & Co. KG - https://www.festo.com
Affected Version
FluidDraw S5 Starter 5.3n (5.3.385.0)FluidDraw P5 Professional 5.3n (5.3.385.0)
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
[01.12.2015] Vulnerability discovered.[05.12.2015] Vendor contacted.
[16.01.2016] No response from the vendor.
[17.01.2016] Public security advisory released.
PoC
fluiddraw_dllhijack.cCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2016010102[2] https://packetstormsecurity.com/files/135307
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/109712
Changelog
[17.01.2016] - Initial release[18.01.2016] - Added reference [1]
[19.01.2016] - Added reference [2]
[21.01.2016] - Added reference [3]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk