Pwn2Own Miami: Aveva Edge Arbitrary DLL Loading Vulnerability
This article covers the vulnerability I discovered while researching the Aveva Edge attack surface for Pwn2Own Miami a few years ago. It’s been patched for a while now so its fair to release my writeup of the program.
Upon testing Aveva Edge V20 SP1 and later SP2 it was found that Aveva Edge Application files (.APP) can be configured to trigger DLL loading from unsafe paths. The root cause of this condition is due to the fact that upon startup Aveva Edge will always load imgman32.dll from a safe and trusted location.
However, during additional testing, it was found that imgman32.dll is responsible for attempting to load another file IMHOST32.dll however IMHOST32.dll is not included in the application package. Additionally, the call responsible for loading IMHOST32.dll is LoadLibraryA which has known abuses.
Analysis of the calling DLL (imgman32.dll) found the following exported function “ImgPlugInHostLoad” attempts to load IMHOST32.dll via LoadLibraryA.
Further analysis indicated that upon dll load imgman32.dll will also attempt to load IMHOST32.dll from dllmain. This explains why our payload (calc.exe) will spawn multiple times upon exploitation. This is a result of multiple calls to IMHOST32.dll which is backdoored in our attack payload.
In order to achieve successful exploitation then an attacker would need a maliciously crafted Aveva Archive, and a malicious IMHOST32.dll file alongside it. The default configuration contains code to cause imgman32.dll to load imhost32.dll
Further analysis revealed that the library responsible for loading imgman32.dll is appbuild.dll. This library leverages a number of functions from imgman32.dll all appearing to be related to handling images and image display within Aveva Edge.
Further reverse engineering revealed that upon application launch the application reads TreeView.ini from a safe path. The ini file has a number of hardcoded dlls to load. This includes AppBuild.dll as the first dll that treeview.ini requires.
In closing the root cause of the issue is:
· Studio Manager.exe reads TreeView.ini which contains a list of DLLs to load.
· The first loaded library in Treeview.ini (Appbuild.dll) loads imgman32.dll due to its use of imported imgman32.dll functions.
· Imgman32.dll in turn requires IMHOST32.dll which is missing from the installation path.
· Due to the fact that the Imgman32.dll uses LoadlibraryA the CWD is checked to see if IMHOST32.dll exists
· In our case an attacker has included a malicious IMHOST32.dll file with an Aveva edge “.APP” file leading to arbitrary code execution.
Recommended solutions:
· Include IMHOST32.dll in a trusted / preferred path
· Use a patched version of Imgman32.dll that uses a hardcoded dll path. i.e.
· HMODULE handle = LoadLibrary(“c:\\windows\\system32\\IMHOST32.dll”);
Additional Findings:
There were additional RCE cases in Aveva edge that were not 0-click and were therefore outside the scope of pwn2own targets.