lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 30 Jun 2017 04:50:42 +0000
From: Karn Ganeshen <karnganeshen@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library Loading Allows Code Execution

[ICS] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library
Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)

Advisory URL:
https://ipositivesecurity.com/2017/06/28/ics-schneider-electric-pro-face-wingp-insecure-library-loading-allows-code-execution/

------------------------

AFFECTED PRODUCTS

------------------------

Schneider Electric Pro-Face WinGP - Packaged version with GP Pro Server EX
-> current version

------------------------

ABOUT

------------------------


WinGP is a runtime engine, and is a component of Schneider Electric
Pro-Face GP Pro-Server EX. Pro-Face GP Pro-Server EX is premier HMI
Development Software that supports Dedicated and Open HMI (PC-based)
solutions.

https://www.proface.com/en/download/trial/gpproex/v40
http://www.pro-face.com/otasuke/download/trial/

------------------------

VULNERABLE VERSION

------------------------

Packaged version with GP Pro Server EX -> current version

------------------------

IMPACT

------------------------


Successful exploitation of this vulnerability could allow an authenticated
user to escalate his or her privileges.

------------------------

VULNERABILITY DETAILS

------------------------


This vulnerability allows attackers to execute arbitrary code on vulnerable
installations of Schneider Electric Pro-Face WinGP software. User
interaction is required to exploit this vulnerability in that the malicious
dll file should be saved in any of the DLL search paths.

The specific flaw exists within the handling of a specific named DLL file
used by Runtime.exe. By default, the program is installed in C:\Pro-Face\
and any authenticated local users have RWX access. By placing a specific
DLL/OCX file (listed below), an attacker is able to force the process to
load an arbitrary DLL. This allows an attacker to execute arbitrary code in
the context of the process when it is run.

------------------------

DLL File Names

------------------------

i2capi.dll

------------------------

Application Executables (that look for missing DLL/OCX)

------------------------

Runtime.exe

------------------------

Steps to reproduce

------------------------


1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o i2capi.dll
2. Place this dll in install directory (or C:\Windows, or any directory
defined in the PATH environment variable)
C:\Pro-face\WinGP\
3. Run Runtime.exe -> calc.exe executes

+++++

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists