September 1, 2017 Karn Ganeshen

[ICS] AzeoTech DAQFactory – Insecure Default Permissions and Insecure Library Loading Allows Code Execution

[ICS] AzeoTech DAQFactory – Insecure Default Permissions and Insecure Library Loading Allows Code Execution

Vendor: AzeoTech
Equipment: DAQFactory
Vulnerability: Weak Permissions, Uncontrolled Search Path Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-241-01

AFFECTED PRODUCTS

The following versions are affected:

AZEOTECH DAQFactory HMI / SCADA Software functions as:

BACKGROUND


IMPACT

Successful exploitation of these vulnerabilities could allow authenticated local users to escalate their privileges and execute arbitrary code.

VULNERABILITY OVERVIEW

INCORRECT DEFAULT PERMISSIONS CWE-276
Local, non-administrative users may be able to replace or modify original application files with malicious ones.

CVE-2017-12699 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

EVERYONE has FULL permissions over all the install files (*exe, *dll), therefore, it is possible for any local, non-admin user to replace/modify original application files with malicious ones, and gain privileged access once an administrative user runs the application. Other vectors are possible as well.

UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element vulnerability has been identified, which may execute malicious DLL files that have been placed within the search path.

CVE-2017-5147 has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L).

By default, the application (vulnerable versions) is installed in C:\DAQFactory\. All Authenticated users have RWX permissions on this directory. By placing specific DLL file(s), an attacker is able to force the process to load an arbitrary DLL. This allows an attacker to execute arbitrary code in the context of the process when it is run.

Missing Libraries

Application Executables (that look for missing DLL)

Steps to reproduce

+++++

Tagged: , , , , , , , ,