Multiple Honeywell Products 'HscRemoteDeploy.dll' Activex Remote Code Execution Vulnerability
BID:58134
Info
Multiple Honeywell Products 'HscRemoteDeploy.dll' Activex Remote Code Execution Vulnerability
| Bugtraq ID: | 58134 |
| Class: | Input Validation Error |
| CVE: |
CVE-2013-0108 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 22 2013 12:00AM |
| Updated: | Apr 10 2013 02:08PM |
| Credit: | Juan Vazquez of Rapid7 |
| Vulnerable: |
Honeywell EBI R410.2 Honeywell EBI R410.1 |
| Not Vulnerable: | |
Discussion
Multiple Honeywell Products 'HscRemoteDeploy.dll' Activex Remote Code Execution Vulnerability
Multiple Honeywell products are prone to a remote code-execution vulnerability because they fail to properly validate user-supplied input.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application (typically Internet Explorer) using the ActiveX control. Failed exploit attempts likely result in denial-of-service conditions.
The following products are vulnerable:
Honeywell EBI
Honeywell SymmetrE
Honeywell CPO-M
Multiple Honeywell products are prone to a remote code-execution vulnerability because they fail to properly validate user-supplied input.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application (typically Internet Explorer) using the ActiveX control. Failed exploit attempts likely result in denial-of-service conditions.
The following products are vulnerable:
Honeywell EBI
Honeywell SymmetrE
Honeywell CPO-M
Exploit / POC
Multiple Honeywell Products 'HscRemoteDeploy.dll' Activex Remote Code Execution Vulnerability
A commercial exploit is available through VUPEN Security - Exploit and PoCs Service.
The following example exploit code is available:
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
A commercial exploit is available through VUPEN Security - Exploit and PoCs Service.
The following example exploit code is available:
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
Solution / Fix
Multiple Honeywell Products 'HscRemoteDeploy.dll' Activex Remote Code Execution Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
Multiple Honeywell Products 'HscRemoteDeploy.dll' Activex Remote Code Execution Vulnerability
References:
References:
- Honeywell Home Page (Honeywell)