Broadwin WebAccess Client Format String Attack

September 8, 2011

Supervisory Control and Data Acquisition (SCADA), generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes. A SCADA system usually consists of the following subsystems: a human-machine interface or HMI, a supervisory (computer) system, remote terminal units (RTUs) connecting to sensors in the process, Programmable logic controller (PLCs) used as field devices and communication infrastructure. Broadwin Technology is one of the vendors that manufacture SCADA systems. Browser-based Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) software are two of their main products.

Broadwin's WebAccess is the client component of their SCADA system. It provides an ActiveX component designed to run in an Internet Explorer (IE) session. The ActiveX control is associated with CLSID "5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C", and ProgID "BWOCXRUN.BwocxrunCtrl.1". It can be instantiated in a web page using the tag or via scripting. The following example demonstrate how this ActiveX control can be instantiated:

A format string code execution vulnerability exists in the Broadwin Technology's WebAccess client ActiveX component nbwocxrun.ocx. The vulnerability is due to insufficient input validation when handling one of the parameters in calls to the BWOCXRUN.BwocxrunCtrl.1 method. A remote unauthenticated attacker can exploit this vulnerability by enticing a target client to view a crafted HTML document, ASP page, or various other media. Successful exploitation could result in execution of arbitrary code within the security context of the target user.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to prevent/detect attacks addressing this vulnerability.

  • 1801 Broadwin WebAccess Client Format String Attack

This vulnerability has not been assigned with an ID by CVE.