lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 28 Oct 2017 12:18:50 +0530
From: Karn Ganeshen <karnganeshen@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] [ICS] SpiderControl SCADA Web Server Improper Privilege
	Management Vulnerability

Vendor: SpiderControl
Equipment: SCADA Web Server
Vulnerability: Improper Privilege Management

Advisory URL
https://ipositivesecurity.com/2017/10/28/ics-spidercontrol-scada-web-server-improper-privilege-management-vulnerability/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01

CVE-ID
CVE-2017-12728

------------------------
AFFECTED PRODUCTS
------------------------

The following versions of SCADA Web Server, a software management platform,
are affected:
SCADA Web Server Version 2.02.0007 and prior.

------------------------
BACKGROUND
------------------------
Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Europe
Company Headquarters Location: Switzerland

------------------------
IMPACT
------------------------
Successful exploitation of this vulnerability could allow authenticated
system users to escalate their privileges under certain conditions.

------------------------
VULNERABILITY OVERVIEW
------------------------

IMPROPER PRIVILEGE MANAGEMENT CWE-269

Authenticated, non-administrative local users are able to alter service
executables with escalated privileges which could allow an attacker to
execute arbitrary code under the context of the current system services.

CVE-2017-12728 has been assigned to this vulnerability. A CVSS v3 base
score of 5.3 has been assigned; the CVSS vector string is
(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).


------------------------
Vulnerability Details
------------------------

1. Untrusted Users Can Modify Windows Service Executables
It is possible for non-administrative local users to replace some of the
Windows Service executables with malicious programs. This could be abused
to execute programs with the privileges of the Windows services concerned.

The programs below have FILE_WRITE, WRITE_DAC or WRITE_OWNER permission
granted to non-administrative users:

SCADA Server (SCADAServer) runs the following program as LocalSystem:

C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: FILE_WRITE_DATA
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:
FILE_WRITE_DATA

2. Delete Permission Granted On Windows Service Executables
It is possible for non-administrative local users to delete some of the
Windows Service executables with malicious programs. This could lead to
disruption or denial of service.

The programs below have DELETE permission granted to non-administrative
users:

SCADA Server (SCADAServer) runs the following program as LocalSystem:

C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: DELETE
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:
DELETE

3. Append Permission Granted Windows Service Executables
It is possible for non-administrative local users to append to some of the
Windows Service executables with malicious programs. This is unlikely to be
exploitable for .exe files, but is it bad security practise to allow more
access than necessary to low-privileged users.

The programs below have FILE_APPEND permission granted to
non-administrative users:

SCADA Server (SCADAServer) runs the following program as LocalSystem:

C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: FILE_APPEND_DATA
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:
FILE_APPEND_DATA


+++++
Best Regards,
Karn Ganeshen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ