June 2017

View all on this date written articles further down below.
28 Jun 2017

[ICS] Cambium ePMP ICS-CERT Advisory Published

Back in April 2017, I posted SNMP vulnerabilities in Cambium ePMP devices. ICS-CERT has now published the advisory for Cambium ePMP SNMP vulnerabilities: https://ics-cert.us-cert.gov/advisories/ICSA-17-166-01 Vendor: Cambium Networks
Equipment: ePMP
Vulnerabilities: Improper Access Control, Improper Privilege Management
CVE-IDs
CVE-2017-7918
CVE-2017-7922 Cambium ePMP product security, putting it mildly, needs considerable improvement. I will be publishing another set of fresh reports on Cambium devices soon. In case you are using ePMP boxes, or other Cambium appliances, please ensure: 1. your devices are not accessible publicly
2. default account passwords & SNMP community strings are changed to strong values
3. SNMP is filtered at the firewall. Read on for details.

Read more

28 Jun 2017

[ICS] Satel Iberia SenNet Data Logger and Electricity Meters Command Injection – Metasploit Exploit Module

Metasploit Exploit Module published - Satel Iberia SenNet Data Logger and Electricity Meters Command Injection This module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers & Electricity Meters to perform arbitrary command execution as 'root'. Exploit URL:
https://www.rapid7.com/db/modules/auxiliary/scanner/telnet/satel_cmd_exec Read on for demo.

Read more

28 Jun 2017

[ICS] Schneider Electric Pro-Face WinGP – Insecure Library Loading Allows Code Execution

[ICS] Schneider Electric Pro-Face WinGP - Runtime.exe – Insecure Library Loading Allows Code Execution Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)
AFFECTED PRODUCTS
Schneider Electric Pro-Face WinGP - Packaged version with GP Pro Server EX -> current version
IMPACT
Successful exploitation of this vulnerability could allow an authenticated user to escalate his or her privileges. Read on for details.

Read more

15 Jun 2017

[ICS] Digital Canal Structural Wind Analysis Stack Buffer Overflow

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02 Vendor: Digital Canal Structural
Equipment: Wind Analysis
Vulnerability: Stack-Based Buffer Overflow
AFFECTED PRODUCTS
The following versions of Wind Analysis, a structural engineering software platform, are affected:
Wind Analysis versions 9.1 and prior. IMPACT
Successful exploitation of this vulnerability could cause the device that the attacker is accessing to become unavailable, resulting in a denial of service. Read on for details.

Read more

15 Jun 2017

[ICS] Trihedral VTScada Multiple Vulnerabilities

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01
Vendor: Trihedral
Equipment: VTScada
Vulnerability: Resource Consumption, Cross-Site Scripting, Information Exposure
AFFECTED PRODUCTS
The following versions of VTScada, an HMI SCADA software, are affected:
VTScada Versions prior to 11.2.26 Read on for details.

Read more

15 Jun 2017

Microsoft Office Patch Installers – Insecure Library loading allow code execution

Microsoft Office Patch Installer Executables – Insecure Library Loading Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading Abstract Microsoft Office Patch installer executables are found to be vulnerable to DLL side loading / hijacking issue. This issue was observed when installing a patch for Microsoft Excel 2013 SP1. Patch installer for Microsoft Word was also tested and confirmed to exhibit the same behavior. Other patch installers may also be vulnerable. In this writeup, I will document about MS Excel 2013 patch update KB3127968. Read on for details.

Read more

15 Jun 2017

Microsoft Machine Debug Manager (mdm) – Insecure Library Loading Allows Code Execution

Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability ABOUT The Machine Debug Manager, mdm.exe, is a program that provides support for program debugging. During the testing, it was found that MDM is affected with DLL hijacking vulnerability. The following conditions are required to exploit MDM DLL hijacking vulnerability:
  1. MDM (mdm.exe) is installed
  2. Disable script debugging (Other) option is not selected (IE -> Internet Options -> Advanced)
Exploitation could be performed via multiple Windows applications. A few scenarios are documented here. Read on for details.

Read more