Vendor: AzeoTech Equipment: DAQFactory Vulnerability: Incorrect Default Permissions, Uncontrolled Search Path Element
Advisory URL: https://ipositivesecurity.com/2017/09/01/ics-azeotech- daqfactory-insecure-default-permissions-insecure-library- loading-allows-code-execution/ ICS-CERT Advisory https://ics-cert.us-cert.gov/advisories/ICSA-17-241-01 CVE-IDs CVE-2017-12699 CVE-2017-5147 ------------------------ AFFECTED PRODUCTS ------------------------ The following versions are affected: DAQFactory versions prior to 17.1 ------------------------ BACKGROUND ------------------------ Critical Infrastructure Sectors: Critical manufacturing, Energy, and Water Countries/Areas Deployed: United States and Europe Company Headquarters Location: United States ------------------------ IMPACT ------------------------ Successful exploitation of these vulnerabilities could allow authenticated local users to escalate their privileges and execute arbitrary code. ------------------------ VULNERABILITY OVERVIEW ------------------------ A) INCORRECT DEFAULT PERMISSIONS CWE-276 Local, non-administrative users may be able to replace or modify original application files with malicious ones. CVE-2017-12699 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). EVERYONE has FULL permissions over all the install files (*exe, *dll), therefore, it is possible for any local, non-admin user to replace/modify original application files with malicious ones, and gain privileged access once an administrative user runs the application. Other vectors are possible as well. B) UNCONTROLLED SEARCH PATH ELEMENT CWE-427 An uncontrolled search path element vulnerability has been identified, which may execute malicious DLL files that have been placed within the search path. CVE-2017-5147 has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L). By default, the application (vulnerable versions) is installed in C:\DAQFactory\. All Authenticated users have RWX permissions on this directory. By placing specific DLL file(s), an attacker is able to force the process to load an arbitrary DLL. This allows an attacker to execute arbitrary code in the context of the process when it is run. ------------------------ Missing Libraries: ------------------------ pegrc32a.dll labjackm.dll iopc.dll ------------------------ Application Executables (that look for missing DLL): ------------------------ DAQFactory.exe ------------------------ Steps to reproduce ------------------------ 1. Generate a dll payload msfvenom –p windows/exec cmd=calc.exe –f dll –o pegrc32a.dll 2. Place this dll in install directory (or any directory defined in the PATH environment variable) C:\DAQFactory\ 3. Run DAQFactory.exe -> calc.exe executes +++++ Best Regards, Karn Ganeshen _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
