扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
iniNet SpiderControl PLC Editor Simatic 6.30.04 Insecure File Permissions Vendor: iniNet Solutions GmbH Product web page: http://www.spidercontrol.net Affected version: 6.30.04 (Build 6300400) Summary: Modular and automated engineering is provided for HMI and SCADA. The tools are developed to join a large range of engineering modules together quickly. We modularize our software, as the mechanics of a system are modularized today. Easy to visualize with a few clicks. Desc: SpiderControl PLC Editor Simatic suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, and 'C' flag (Change) for 'Authenticated Users' group making the entire directory 'PLCEditorSimatic_6300400' and its files and sub-dirs world-writable. Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5283 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5283.php 22.10.2015 -- C:\SpiderControl\PLCEditorSimatic_6300400>cacls PLCEditorSimatic.exe C:\SpiderControl\PLCEditorSimatic_6300400\PLCEditorSimatic.exe Everyone:(ID)F BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\SpiderControl\PLCEditorSimatic_6300400>dir Volume in drive C is Windows Volume Serial Number is 56F3-8688 Directory of C:\SpiderControl\PLCEditorSimatic_6300400 22/10/201510:10<DIR>. 22/10/201510:10<DIR>.. 09/05/201214:03 379 fontconfig.txt 22/10/201510:10<DIR>HTML5Comp 22/10/201510:10<DIR>HWSpecific 24/06/201518:42 386,812 IMasterSimatic6_30_04.jar 22/10/201510:10<DIR>ImportNConvertComp 22/10/201510:10<DIR>MacroDlgComp 22/10/201510:10<DIR>MacroDlgRuntime 22/10/201510:10<DIR>MacroLib 22/10/201510:10<DIR>MacroLibTempFiles 26/04/200515:26 320 MsgBox.teq 22/10/201510:10<DIR>News_ReleaseNotes 06/06/201211:0681 PLCEditorExtraBatch.bat 11/01/201312:29 727 PLCEditorKey.spl 02/07/201522:58 7,997,440 PLCEditorSimatic.exe 26/11/201419:04 3,806 PLCPPOCheckCfgSimaticPLC.xml 02/07/201518:25 2,958,336 PLC_FontGenerator.exe 22/10/201510:10<DIR>Projects 17/06/201510:5834,275 PropWndDescript.xml 25/04/201416:55 104,254 s7api.jar 18/05/201512:2842,478 ScadaDescript.xml 10/01/201115:09 208 ScadaPPOList.csv 22/10/201510:10<DIR>SCUtils 09/02/201513:27 8,242 SimaticDefaultSpiderHWProfile.shp 01/07/201516:36 2,693,569 SimaticPLCHelp.chm 22/10/201510:30<DIR>SimulateRuntime 22/10/201510:10<DIR>SimulationComp 06/09/201211:1365,536 SpiderLink1.dll 06/09/201211:1365,536 SpiderLink2.dll 06/09/201211:1365,536 SpiderLink3.dll 06/09/201211:1365,536 SpiderLink4.dll 02/07/201518:26 265,216 SpiderObserver.dll 02/07/201518:25 269,824 SpiderOPCBrowser.dll 02/07/201523:42 483,328 SPSVarSelectorCsv.dll 02/07/201518:26 430,080 SPSVarSelectorTpy.dll 22/10/201510:10<DIR>SVGComp 22/10/201510:1086,988 unins000.dat 22/10/201510:10 736,929 unins000.exe 10/01/201115:0528 ZelsCfg.csv 22/10/201510:10<DIR>ZipComp 25 File(s) 16,765,464 bytes 16 Dir(s)77,686,059,008 bytes free C:\SpiderControl\PLCEditorSimatic_6300400>cd .. C:\SpiderControl>cacls PLCEditorSimatic_6300400 C:\SpiderControl\PLCEditorSimatic_6300400 Everyone:(OI)(CI)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C |
体验盒子
