WellinTech Patches KingView Holes

Wednesday, October 23, 2013 @ 06:10 PM gHale


WellinTech produced a new version of KingView that mitigates ActiveX vulnerabilities, according to a report on ICS-CERT.

These remotely exploitable vulnerabilities, discovered by independent researcher “Blake,” have active exploits targeting them. “Blake” identified the vulnerabilities and released proof-of-concept (exploit) code without coordination with ICS CERT, the vendor, or any other coordinating entity.

RELATED STORIES
Alstom Software Bug Patch Update
DNP3 Implementation Vulnerability
Wonderware Fixes InTouch Vulnerability
Alstom Patches Software Vulnerability

The vulnerabilities are exploitable because the program does not properly sanitize user input, according to a previous report. KingView versions older than Version 6.53 suffer from the issue.

Successful exploitation of these vulnerabilities may allow an attacker to overwrite files and copy them from one location to another on the target machine.

WellinTech is a software development company specializing in automation and control. Beijing, China-based WellinTech has branches in the United States, Japan, Singapore, Europe, and Taiwan.

According to the WellinTech Web site, the KingView product is a Windows-based control, monitoring, and data collection application deployed across several industries including power, water, building automation, mining, and others.

WellinTech KingView contains a flaw in the SuperGrid.ocx ActiveX control that allows an attacker to traverse outside a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks.

This proof of concept will copy any arbitrary file from one location to a second location. It can also overwrite existing files. This vulnerability can inject files which, in turn, may allow arbitrary code execution.

CVE-2013-6127 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

WellinTech KingView contains a flaw in the KChartXY.ocx ActiveX control that allows an attacker to traverse outside a restricted path. The issue is due to the program not properly sanitizing user input. Proof of concept overwrites the win.ini file.

CVE-2013-6128 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

An attacker with a medium skill would be able to exploit these vulnerabilities.

WellinTech provided the following links to download new versions of the affected files:
• SuperGrid.ocx Version number:65.30.30000.10002
• KChartXY.ocx Version number:65.30.30000.10002

It is also possible to correct the flaw by implementing the following workarounds:
• Set the kill-bit on the KChartXY ActiveX Control (CLSID A9A2011A-1E02-4242-AAE0-B239A6F88BAC).
• Set the kill-bit on the SuperGrid ActiveX Control (CLSID F494550F-A028-4817-A7B5-E5F2DCB4A47E).



Leave a Reply

You must be logged in to post a comment.