| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Sep 2017 05:07:55 +0530 From: Karn Ganeshen <karnganeshen@...il.com> To: fulldisclosure@...lists.org Subject: [FD] [ICS] Moxa SoftNVR-IA Live Viewer – Insecure Library Loading Allows Code Execution Vendor: Moxa Equipment: SoftNVR-IA Live Viewer Vulnerability: Uncontrolled Search Path Element Advisory URL: https://ipositivesecurity.com/2017/09/01/ics-moxa-softnvr-ia-live-viewer-insecure-library-loading-allows-code-execution/ ICS-CERT Advisory https://ics-cert.us-cert.gov/advisories/ICSA-17-220-02 ------------------------ AFFECTED PRODUCTS ------------------------ The following versions of SoftNVR-IA Live Viewer, a video surveillance software designed for industrial automation systems, are affected: SoftNVR-IA Live Viewer, Version 3.30.3122 and prior versions. ------------------------ BACKGROUND ------------------------ Critical Infrastructure Sector(s): Critical Manufacturing, Energy, and Transportation Systems. Countries/Areas Deployed: Worldwide Company Headquarters Location: Taiwan ------------------------ IMPACT ------------------------ Successful exploitation of this vulnerability may allow an attacker to execute code from a malicious DLL on the affected system with the same privileges as the user running the program. ------------------------ VULNERABILITY OVERVIEW ------------------------ UNCONTROLLED SEARCH PATH ELEMENT CWE-427 An uncontrolled search path element vulnerability has been identified, which may execute malicious DLL files that have been placed within the search path. By placing specific DLL file(s), an attacker is able to force the process to load an arbitrary DLL. This allows an attacker to execute arbitrary code in the context of the process when it is run. CVE-2017-5170 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H). ------------------------ Missing Libraries ------------------------ msjet48.dll msjet47.dll msjet46.dll msjet45.dll msjet44.dll msjet43.dll msjet42.dll msjet41.dll msjter49.dll msjter48.dll msjter47.dll msjter46.dll msjter45.dll msjter44.dll msjter43.dll msjter42.dll msjter41.dll ------------------------ Application Executables (that look for missing DLL) ------------------------ SoftNVRIA.exe ------------------------ Steps to reproduce ------------------------ 1. Generate a dll payload msfvenom –p windows/exec cmd=calc.exe –f dll –o msjter41.dll 2. Place this dll in any directory defined in the PATH environment variable C:\app-folder-RW\ 3. Run SoftNVRIA.exe, and Exit Note: Few DLLs are loaded when the application starts, while few are loaded when the application is exited. Thus, code execution can happen at the start or at exit time of the application run. +++++ Best Regards, Karn Ganeshen _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists