[R1] Advantech WebAccess Multiple Vulnerabilities

While developing a plugin for CVE-2016-0855, Tenable discovered an additional vulnerability in Advantech WebAccess. The issue is due to the /WaExlViewer application not properly managing authentication, allowing a remote attacker to bypass intended restrictions (CVE-2017-5152). With this access, an attacker can perform a variety of actions including, but not limited to:

• When combining with another SQL injection vulnerability via /WaExlViewer/updateTemplate.aspx (CVE-2017-5154), a remote, unauthenticated attacker can retrieve the password for the WebAccess admin account.
• Uploading template files with certain extensions (e.g., xls, xlsx, jpg, and png) will be stored in [target]/broadweb/WaExlViewer/templates. At the very least, this can be used to exhaust disk space on the target system. Note: the systems allows jpg, but discriminates against jpeg (haters!).
• Update and delete existing template files, in the formats listed above. A crafted XSL / XLSX with malicious macros could be used in a phishing campaign.

Operations in the /WaExlViewer application appear to access and manipulate tables in the MS Access database located in [installdir]\config\bwCfg.mdb (e.g., C:\WebAccess\Node\config\bwCfg.mdb). Based on limited testing due to time constraints, we know it interacts with the bwCfg.mdb database. It may include retrieval, update, and deletion of the records in some table(s).

To take advantage of this flaw, an attacker would send a POST request to /WaExlViewer/openRpt.aspx with the parameters "projName=<some_name>&nodeName=<some_name>&waPath=C:\WebAccess\Node", that will cause the application to set specific session variables.