BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution
Title: BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution
Advisory ID: ZSL-2016-5296
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 19.01.2016
Microsoft Windows 7 Professional SP1 (EN)
[2] https://cxsecurity.com/issue/WLB-2016010116
[3] https://packetstormsecurity.com/files/135316
[4] https://secunia.com/advisories/68412/
[21.01.2016] - Added reference [1], [2] and [3]
[05.02.2016] - Added reference [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5296
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 19.01.2016
Summary
Engineering Tool for West Pro Series of controllers (KS20-1, KS92-1, TB40-1, KS800, KS816, Dig280-1, KS vario, CI45, KS45, SG45, TB45, RL400, Pro96, CAL4600).Description
BlueControl suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (sortserver2003compat.dll, sxs.dll, cryptsp.dll, rpcrtremote.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application files (.BCD, .BCL, .BCT, .EDW, .E80) located on a remote WebDAV or SMB share.Vendor
West Control Solutions - http://www.west-cs.comAffected Version
3.5.SR5Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
N/APoC
bluecontrol_dllhijack.cCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://exchange.xforce.ibmcloud.com/vulnerabilities/109710[2] https://cxsecurity.com/issue/WLB-2016010116
[3] https://packetstormsecurity.com/files/135316
[4] https://secunia.com/advisories/68412/
Changelog
[19.01.2016] - Initial release[21.01.2016] - Added reference [1], [2] and [3]
[05.02.2016] - Added reference [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
