lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 1 Sep 2017 05:09:09 +0530
From: Karn Ganeshen <karnganeshen@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] [ICS] AzeoTech DAQFactory – Insecure Default Permissions and Insecure Library Loading Allows Code Execution

Vendor: AzeoTech
Equipment: DAQFactory
Vulnerability: Incorrect Default Permissions, Uncontrolled Search Path
Element

Advisory URL:
https://ipositivesecurity.com/2017/09/01/ics-azeotech-
daqfactory-insecure-default-permissions-insecure-library-
loading-allows-code-execution/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-241-01

CVE-IDs
CVE-2017-12699
CVE-2017-5147

------------------------
AFFECTED PRODUCTS
------------------------
The following versions are affected:

DAQFactory versions prior to 17.1

------------------------
BACKGROUND
------------------------
Critical Infrastructure Sectors: Critical manufacturing, Energy, and Water
Countries/Areas Deployed: United States and Europe
Company Headquarters Location: United States

------------------------
IMPACT
------------------------
Successful exploitation of these vulnerabilities could allow authenticated
local users to escalate their privileges and execute arbitrary code.


------------------------
VULNERABILITY OVERVIEW
------------------------

A)​
INCORRECT DEFAULT PERMISSIONS CWE-276
Local, non-administrative users may be able to replace or modify original
application files with malicious ones.

CVE-2017-12699 has been assigned to this vulnerability. A CVSS v3 base
score of 7.1 has been calculated; the CVSS vector string is
(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

EVERYONE has FULL permissions over all the install files (*exe, *dll),
therefore, it is possible for any local, non-admin user to replace/modify
original application files with malicious ones, and gain privileged access
once an administrative user runs the application. Other vectors are
possible as well.


​B) ​
UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element vulnerability has been identified,
which may execute malicious DLL files that have been placed within the
search path.

CVE-2017-5147 has been assigned to this vulnerability. A CVSS v3 base score
of 4.2 has been calculated; the CVSS vector string is
(AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L).

By default, the application (vulnerable versions) is installed in
C:\DAQFactory\. All Authenticated users have RWX permissions on this
directory.

By placing specific DLL file(s), an attacker is able to force the process
to load an arbitrary DLL. This allows an attacker to execute arbitrary code
in the context of the process when it is run.

------------------------
Missing Libraries:
------------------------
pegrc32a.dll
labjackm.dll
iopc.dll

------------------------
Application Executables (that look for missing DLL):
------------------------
DAQFactory.exe

------------------------
Steps to reproduce
------------------------
1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o pegrc32a.dll

2. Place this dll in install directory (or any directory defined in the
PATH environment variable)
C:\DAQFactory\

3. Run DAQFactory.exe
​ -> calc.exe executes​


+++++
Best Regards,
Karn Ganeshen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists