| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 Jun 2017 04:50:42 +0000 From: Karn Ganeshen <karnganeshen@...il.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library Loading Allows Code Execution [ICS] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library Loading Allows Code Execution Vendor: Schneider Electric Equipment: Pro-Face WinGP Vulnerability: Uncontrolled Search Path Element (DLL side-loading) Advisory URL: https://ipositivesecurity.com/2017/06/28/ics-schneider-electric-pro-face-wingp-insecure-library-loading-allows-code-execution/ ------------------------ AFFECTED PRODUCTS ------------------------ Schneider Electric Pro-Face WinGP - Packaged version with GP Pro Server EX -> current version ------------------------ ABOUT ------------------------ WinGP is a runtime engine, and is a component of Schneider Electric Pro-Face GP Pro-Server EX. Pro-Face GP Pro-Server EX is premier HMI Development Software that supports Dedicated and Open HMI (PC-based) solutions. https://www.proface.com/en/download/trial/gpproex/v40 http://www.pro-face.com/otasuke/download/trial/ ------------------------ VULNERABLE VERSION ------------------------ Packaged version with GP Pro Server EX -> current version ------------------------ IMPACT ------------------------ Successful exploitation of this vulnerability could allow an authenticated user to escalate his or her privileges. ------------------------ VULNERABILITY DETAILS ------------------------ This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Schneider Electric Pro-Face WinGP software. User interaction is required to exploit this vulnerability in that the malicious dll file should be saved in any of the DLL search paths. The specific flaw exists within the handling of a specific named DLL file used by Runtime.exe. By default, the program is installed in C:\Pro-Face\ and any authenticated local users have RWX access. By placing a specific DLL/OCX file (listed below), an attacker is able to force the process to load an arbitrary DLL. This allows an attacker to execute arbitrary code in the context of the process when it is run. ------------------------ DLL File Names ------------------------ i2capi.dll ------------------------ Application Executables (that look for missing DLL/OCX) ------------------------ Runtime.exe ------------------------ Steps to reproduce ------------------------ 1. Generate a dll payload msfvenom –p windows/exec cmd=calc.exe –f dll –o i2capi.dll 2. Place this dll in install directory (or C:\Windows, or any directory defined in the PATH environment variable) C:\Pro-face\WinGP\ 3. Run Runtime.exe -> calc.exe executes +++++ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists