DLL hijacking

01 Sep 2017

[ICS] Moxa SoftNVR-IA Live Viewer – Insecure Library Loading Allows Code Execution

Vendor: Moxa
Equipment: SoftNVR-IA Live Viewer
Vulnerability: Uncontrolled Search Path Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-220-02

CVE-ID
CVE-2017-5170

AFFECTED PRODUCTS
The following versions of SoftNVR-IA Live Viewer, a video surveillance software designed for industrial automation systems, are affected:

  • SoftNVR-IA Live Viewer, Version 3.30.3122 and prior versions

IMPACT
Successful exploitation of this vulnerability may allow an attacker to execute code from a malicious DLL on the affected system with the same privileges as the user running the program.

Read on for details.

Read more

01 Sep 2017

[ICS] SIMPlight SCADA software – Insecure Library Loading Allows Code Execution

Vendor: SIMPlight
Equipment: SCADA Software
Vulnerability: Uncontrolled Search Path Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-01

CVE-ID
CVE-2017-9661

AFFECTED PRODUCTS
The following versions of SIMPlight SCADA software, software for building management systems and automated facilities, are affected:

  • SCADA Software version 4.3.0.27 and prior.

IMPACT
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

Read on for details.

Read more

01 Sep 2017

[ICS] Solar Controls WATTConfig M Software – Insecure Library Loading Allows Code Execution

Vendor: Solar Controls
Equipment: WATTConfig M Software
Vulnerability: Uncontrolled Search Path Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-03

CVE-ID
CVE-2017-9648

AFFECTED PRODUCTS
The following versions of Solar Controls’ WATTConfig M Software for Windows 2.5.10 for M SSR/MAX PLCs are affected:

  • WATTConfig M Software, Version 2.5.10.1 and prior.

IMPACT
Successful exploitation of this vulnerability may allow arbitrary code execution.

Read on for details.

Read more

01 Sep 2017

[ICS] AzeoTech DAQFactory – Insecure Default Permissions and Insecure Library Loading Allows Code Execution

Vendor: AzeoTech
Equipment: DAQFactory
Vulnerability: Weak Permissions, Uncontrolled Search Path Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-241-01

CVE-IDs
CVE-2017-5147
CVE-2017-12699

AFFECTED PRODUCTS
The following versions are affected:

  • DAQFactory versions prior to 17.1

IMPACT
Successful exploitation of these vulnerabilities could allow authenticated local users to escalate their privileges and execute arbitrary code.

Read on for details.

Read more

01 Sep 2017

[ICS] Solar Controls Heating Control Downloader – Insecure Library Loading Allows Code Execution

Vendor: Solar Controls
Equipment: Heating Control Downloader (HCDownloader)
Vulnerability: Uncontrolled Search Path Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-02

CVE-ID
CVE-2017-9646

AFFECTED PRODUCTS
The following versions of Solar Controls’ Heating Control Downloader (HCDownloader) are affected:

  • HCDownloader, Version 1.0.1.15 and prior.

IMPACT
Successful exploitation of this vulnerability may allow arbitrary code execution.

Read on for details.

Read more

28 Jun 2017

[ICS] Schneider Electric Pro-Face WinGP – Insecure Library Loading Allows Code Execution

[ICS] Schneider Electric Pro-Face WinGP - Runtime.exe – Insecure Library Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-215-01

AFFECTED PRODUCTS
Schneider Electric Pro-Face WinGP - Packaged version with GP Pro Server EX -> current version

IMPACT
Successful exploitation of this vulnerability could allow an authenticated user to escalate his or her privileges. Read on for details.

Read on for details.

Read more

15 Jun 2017

Microsoft Office Patch Installers – Insecure Library loading allow code execution

Microsoft Office Patch Installer Executables – Insecure Library Loading Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading Abstract Microsoft Office Patch installer executables are found to be vulnerable to DLL side loading / hijacking issue. This issue was observed when installing a patch for Microsoft Excel 2013 SP1. Patch installer for Microsoft Word was also tested and confirmed to exhibit the same behavior. Other patch installers may also be vulnerable. In this writeup, I will document about MS Excel 2013 patch update KB3127968. Read on for details.

Read more

15 Jun 2017

Microsoft Machine Debug Manager (mdm) – Insecure Library Loading Allows Code Execution

Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability ABOUT The Machine Debug Manager, mdm.exe, is a program that provides support for program debugging. During the testing, it was found that MDM is affected with DLL hijacking vulnerability. The following conditions are required to exploit MDM DLL hijacking vulnerability:
  1. MDM (mdm.exe) is installed
  2. Disable script debugging (Other) option is not selected (IE -> Internet Options -> Advanced)
Exploitation could be performed via multiple Windows applications. A few scenarios are documented here. Read on for details.

Read more

18 May 2017

[ICS] BLF-Tech LLC VisualView HMI Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-01

BLF-Tech LLC VisualView HMI Insecure Library Loading Allows Code Execution

Vendor: BLF-Tech LLC
Equipment: VisualView HMI Software
Vulnerability: Uncontrolled Search Path Element

Read on for details.

Read more

18 May 2017

[ICS] Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01

Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Interactive Graphical SCADA System Software [IGSS]
Vulnerability: Uncontrolled Search Path Element

Read on for details.

Read more