Advantech WebAccess/SCADA Stack Buffer Overflow

While developing a Nessus plugin to detect CVE-2019-3975, Tenable found an unauthenticated remote stack overflow vulnerability in Advantech WebAccess/SCADA 8.4.2 The flaw exists in the LogInfoFormat function in BwPAlarm.dll due to improper validation of user-supplied data before copying it to a fixed-size stack-based buffer when processing an IOCTL 70533 RPC message:

.text:0700674C ioctl_70533:                       ; CODE XREF: _BwRPCPAlarmService+2F4B↑j
.text:0700674C                                    ; DATA XREF: .text:jpt_700672B↓o
.text:0700674C      mov     edi, [ebp+arg_pInbuf] ; jumptable 0700672B case 10533
.text:0700674F      mov     [ebp+arg_pOutbuf], esi
.text:07006752      push    edi
.text:07006753      push    offset `string'       ; "BwRpcP_KernelShutdown : %s"
.text:07006758      call    LogInfoFormat(char *,...)
[...]
[...]
[...]
.text:07023E40 void __cdecl LogInfoFormat(char *, ...) proc near
.text:07023E40                                    ; CODE XREF: _BwRPCPAlarmService+2F78↑p
.text:07023E40                                    ; _BwRPCPAlarmService+30FD↑p
.text:07023E40
.text:07023E40 sbuf = byte ptr -800h
.text:07023E40 Format= dword ptr  4
.text:07023E40 Args = byte ptr  8
.text:07023E40
.text:07023E40      mov     ecx, [esp+Format]
.text:07023E44      sub     esp, 800h
.text:07023E4A      lea     eax, [esp+800h+Args]  ; attacker-supplied data; the format
.text:07023E4A                                    ; string can contain %s, so the data
.text:07023E4A                                    ; can overflow the fixed_size,
.text:07023E4A                                    ; 0x800-byte stack buffer.
.text:07023E51      lea     edx, [esp+800h+sbuf]  ; 0x800-byte stack buffer
.text:07023E55      push    eax
.text:07023E56      push    ecx
.text:07023E57      push    edx
.text:07023E58      call    _vsprintf

Here an unauthenticated, remote attacker can send a large amount of data to overflow a 0x800-byte stack buffer via the vsprintf function.

Exception and exploitability shown in Windbg:

0:007> g
ModLoad: 005e0000 005f0000   C:\WebAccess\Node\viewsrv.dll
(de0.c44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000000 ecx=01e16fb8 edx=01e01b4c esi=00000000 edi=00892760
eip=41414141 esp=0298eae8 ebp=0298f730 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
41414141 ??              ???
0:007> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0298eae4 41414141 41414141 41414141 41414141 0x41414141
01 0298f730 00404a4e 00002925 00000900 00892760 0x41414141
02 0298f9cc 00402c75 00878fd8 02c920f0 00011385 webvrpcs+0x4a4e
03 0298fa18 00401198 00878fd8 02c920f0 00011385 webvrpcs+0x2c75
04 0298fb44 778e5fda 0087909c d0b9292e 0087f628 webvrpcs+0x1198
05 0298fb7c 778e647b 00401000 0087909c 0298fc20 RPCRT4!DispatchToStubInCNoAvrf+0x46
06 0298fbd4 778e6355 00000000 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x158
07 0298fbf8 77927e6d 0087909c 00000000 00000000 RPCRT4!RPC_INTERFACE::DispatchToStub+0x90
08 0298fc84 779281bc 00000000 00878fd8 00879054 RPCRT4!OSF_SCALL::DispatchHelper+0x23f
09 0298fc98 77928401 00000000 00892738 00878fd8 RPCRT4!OSF_SCALL::DispatchRPCCall+0xf5
0a 0298fcc4 779289a0 00892738 0300092c 00000001 RPCRT4!OSF_SCALL::ProcessReceivedPDU+0x223
0b 0298fce4 77928b9c 00892738 0000092c 0000000c RPCRT4!OSF_SCALL::BeginRpcCall+0x123
0c 0298fd40 7793747f 00000000 00892738 0000092c RPCRT4!OSF_SCONNECTION::ProcessReceiveComplete+0x1e1
0d 0298fd54 7794bf8f 00895890 0000000c 00000000 RPCRT4!ProcessConnectionServerReceivedEvent+0x1c
0e 0298fd78 7794c188 00895890 0000000c 00000000 RPCRT4!DispatchIOHelper+0x46
0f 0298fdb0 75af818c 0000052c 00000000 0087e058 RPCRT4!CO_ConnectionThreadPoolCallback+0x120
10 0298fdd4 77df4cd6 0298fe74 00872370 0087e058 KERNELBASE!BasepTpIoCallback+0x2f
11 0298fe30 77dcfb5b 0298fe74 008603e8 0087e058 ntdll!TppIopExecuteCallback+0x1c5
12 0298ff88 758d343d 008725b0 0298ffd4 77db9832 ntdll!TppWorkerThread+0x594
13 0298ff94 77db9832 008725b0 75606122 00000000 kernel32!BaseThreadInitThunk+0xe
14 0298ffd4 77db9805 77dd04bc 008725b0 ffffffff ntdll!__RtlUserThreadStart+0x70
15 0298ffec 00000000 77dd04bc 008725b0 00000000 ntdll!_RtlUserThreadStart+0x1b
0:007> .load msec.dll
0:007> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000041414141 called from webvrpcs+0x0000000000004a4e (Hash=0xdd0ef56a.0xbb1bd46e)

User mode DEP access violations are exploitable.