June 28, 2017 Karn Ganeshen

[ICS] Schneider Electric Pro-Face WinGP – Insecure Library Loading Allows Code Execution

[ICS] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-215-01

AFFECTED PRODUCTS

ABOUT

WinGP is a runtime engine, and is a component of Schneider Electric Pro-Face GP Pro-Server EX. Pro-Face GP Pro-Server EX is premier HMI Development Software that supports Dedicated and Open HMI (PC-based) solutions.

https://www.proface.com/en/download/trial/gpproex/v40
http://www.pro-face.com/otasuke/download/trial/

VULNERABLE VERSION

IMPACT

Successful exploitation of this vulnerability could allow an authenticated user to escalate his or her privileges.

VULNERABILITY DETAILS

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Schneider Electric Pro-Face WinGP software. User interaction is required to exploit this vulnerability in that the malicious dll file should be saved in any of the DLL search paths.

The specific flaw exists within the handling of a specific named DLL file used by Runtime.exe. By default, the program is installed in C:\Pro-Face\ and any authenticated local users have RWX access. By placing a specific DLL/OCX file (listed below), an attacker is able to force the process to load an arbitrary DLL. This allows an attacker to execute arbitrary code in the context of the process when it is run.

DLL File Names

Application Executables (that look for missing DLL/OCX)

Steps to reproduce

+++++

Tagged: , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *