← Advisories

BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution

High

Advisory ID

ZSL-2016-5296

Release Date

19 January 2016

Vendor

West Control Solutions - http://www.west-cs.com

Affected Version

3.5.SR5

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Microsoft Windows 7 Professional SP1 (EN)

Summary

Engineering Tool for West Pro Series of controllers (KS20-1, KS92-1, TB40-1, KS800, KS816, Dig280-1, KS vario, CI45, KS45, SG45, TB45, RL400, Pro96, CAL4600).

Description

BlueControl suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (sortserver2003compat.dll, sxs.dll, cryptsp.dll, rpcrtremote.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application files (.BCD, .BCL, .BCT, .EDW, .E80) located on a remote WebDAV or SMB share.

Proof of Concept

bluecontrol_dllhijack.cTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://exchange.xforce.ibmcloud.com/vulnerabilities/109710

[2]https://cxsecurity.com/issue/WLB-2016010116

[3]https://packetstormsecurity.com/files/135316

[4]https://secunia.com/advisories/68412/

Changelog

19.01.2016Initial release

21.01.2016Added reference [1], [2] and [3]

05.02.2016Added reference [4]