CVE-2014-0773 (GCVE-0-2014-0773)
Vulnerability from cvelistv5
Published
2014-04-12 01:00
Modified
2025-09-19 19:18
Severity ?
CWE
Summary
The BWOCXRUN.BwocxrunCtrl.1 control contains a method named “CreateProcess.” This method contains validation to ensure an attacker cannot run arbitrary command lines. After validation, the values supplied in the HTML are passed to the Windows CreateProcessA API. The validation can be bypassed allowing for running arbitrary command lines. The command line can specify running remote files (example: UNC command line). A function exists at offset 100019B0 of bwocxrun.ocx. Inside this function, there are 3 calls to strstr to check the contents of the user specified command line. If “\setup.exe,” “\bwvbprt.exe,” or “\bwvbprtl.exe” are contained in the command line (strstr returns nonzero value), the command line passes validation and is then passed to CreateProcessA.
References
ics-cert@hq.dhs.govhttp://webaccess.advantech.com/
ics-cert@hq.dhs.govhttp://www.securityfocus.com/bid/66740
ics-cert@hq.dhs.govhttps://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03
af854a3a-2127-422b-91ae-364da2661108http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03US Government Resource
Impacted products
Vendor Product Version
Advantech WebAccess Version: 0   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:27:19.486Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WebAccess",
          "vendor": "Advantech",
          "versions": [
            {
              "lessThanOrEqual": "7.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "7.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Andrea Micalizzi, aka rgod, Tom Gallagher, and an independent anonymous researcher working with HP\u2019s Zero Day Initiative (ZDI)"
        }
      ],
      "datePublic": "2014-04-08T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\n\n\n\n\n\n\n\n\n\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\n\u003cp\u003e\u003c/p\u003e\n\u003cp\u003eThe BWOCXRUN.BwocxrunCtrl.1 control contains a method named \n\u201cCreateProcess.\u201d This method contains validation to ensure an attacker \ncannot run arbitrary command lines. After validation, the values \nsupplied in the HTML are passed to the Windows CreateProcessA API.\u003c/p\u003e\n\u003cp\u003eThe validation can be bypassed allowing for running arbitrary command\n lines. The command line can specify running remote files (example: UNC \ncommand line).\u003c/p\u003e\n\u003cp\u003eA function exists at offset 100019B0 of bwocxrun.ocx. Inside this \nfunction, there are 3 calls to strstr to check the contents of the user \nspecified command line. If \u201c\\setup.exe,\u201d \u201c\\bwvbprt.exe,\u201d or \n\u201c\\bwvbprtl.exe\u201d are contained in the command line (strstr returns \nnonzero value), the command line passes validation and is then passed to\n CreateProcessA.\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "The BWOCXRUN.BwocxrunCtrl.1 control contains a method named \n\u201cCreateProcess.\u201d This method contains validation to ensure an attacker \ncannot run arbitrary command lines. After validation, the values \nsupplied in the HTML are passed to the Windows CreateProcessA API.\n\n\nThe validation can be bypassed allowing for running arbitrary command\n lines. The command line can specify running remote files (example: UNC \ncommand line).\n\n\nA function exists at offset 100019B0 of bwocxrun.ocx. Inside this \nfunction, there are 3 calls to strstr to check the contents of the user \nspecified command line. If \u201c\\setup.exe,\u201d \u201c\\bwvbprt.exe,\u201d or \n\u201c\\bwvbprtl.exe\u201d are contained in the command line (strstr returns \nnonzero value), the command line passes validation and is then passed to\n CreateProcessA."
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-19T19:18:06.695Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03"
        },
        {
          "name": "66740",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/66740"
        },
        {
          "url": "http://webaccess.advantech.com/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAdvantech has created a new version (Version 7.2) that mitigates each\n of the vulnerabilities described above. Users may download this version\n from the following location at their web site:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://webaccess.advantech.com/downloads.php?item=software\"\u003ehttp://webaccess.advantech.com/downloads.php?item=software\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor additional information about WebAccess, please visit the following Advantech web site:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://webaccess.advantech.com/\"\u003ehttp://webaccess.advantech.com/\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Advantech has created a new version (Version 7.2) that mitigates each\n of the vulnerabilities described above. Users may download this version\n from the following location at their web site:\u00a0 http://webaccess.advantech.com/downloads.php?item=software \n\nFor additional information about WebAccess, please visit the following Advantech web site:\u00a0 http://webaccess.advantech.com/"
        }
      ],
      "source": {
        "advisory": "ICSA-14-079-03",
        "discovery": "EXTERNAL"
      },
      "title": "Advantech WebAccess Command Injection",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-0763",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple SQL injection vulnerabilities in DBVisitor.dll in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary SQL commands via SOAP requests to unspecified functions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03",
              "refsource": "MISC",
              "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"
            },
            {
              "name": "66740",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/66740"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-0773",
    "datePublished": "2014-04-12T01:00:00",
    "dateReserved": "2014-01-02T00:00:00",
    "dateUpdated": "2025-09-19T19:18:06.695Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-0773\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2014-04-12T04:37:31.707\",\"lastModified\":\"2025-09-19T20:15:38.027\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The BWOCXRUN.BwocxrunCtrl.1 control contains a method named \\n\u201cCreateProcess.\u201d This method contains validation to ensure an attacker \\ncannot run arbitrary command lines. After validation, the values \\nsupplied in the HTML are passed to the Windows CreateProcessA API.\\n\\n\\nThe validation can be bypassed allowing for running arbitrary command\\n lines. The command line can specify running remote files (example: UNC \\ncommand line).\\n\\n\\nA function exists at offset 100019B0 of bwocxrun.ocx. Inside this \\nfunction, there are 3 calls to strstr to check the contents of the user \\nspecified command line. If \u201c\\\\setup.exe,\u201d \u201c\\\\bwvbprt.exe,\u201d or \\n\u201c\\\\bwvbprtl.exe\u201d are contained in the command line (strstr returns \\nnonzero value), the command line passes validation and is then passed to\\n CreateProcessA.\"},{\"lang\":\"es\",\"value\":\"El m\u00e9todo CreateProcess en el control BWOCXRUN.BwocxrunCtrl.1 ActiveX en bwocxrun.ocx en Advantech WebAccess anterior a 7.2 permite a atacantes remotos ejecutar programas (1) setup.exe, (2) bwvbprt.exe y (3) bwvbprtl.exe de nombres de rutas arbitrarios a trav\u00e9s de un argumento manipulado, tal y como fue demostrado por un nombre de ruta compartida UNC.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:advantech:advantech_webaccess:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"7.1\",\"matchCriteriaId\":\"3D097D1E-9A02-40B0-93BD-163A11638118\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:advantech:advantech_webaccess:5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"090C819C-5964-4158-80E6-2D4751A5E8BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:advantech:advantech_webaccess:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7CF61F9C-360A-4B70-951D-8EE9CF6E55FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:advantech:advantech_webaccess:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1082E1D5-AF49-431F-9172-98C2D2887C96\"}]}]}],\"references\":[{\"url\":\"http://webaccess.advantech.com/\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"http://www.securityfocus.com/bid/66740\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]}],\"evaluatorComment\":\"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.