iniNet SpiderControl PLC Editor Simatic 6.30.04 – Insecure File Permissions

  • 作者: LiquidWorm
    日期: 2015-12-08
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/38904/
  • iniNet SpiderControl PLC Editor Simatic 6.30.04 Insecure File Permissions


Vendor: iniNet Solutions GmbH
Product web page: http://www.spidercontrol.net
Affected version: 6.30.04 (Build 6300400)

Summary: Modular and automated engineering is provided for HMI and
SCADA. The tools are developed to join a large range of engineering
modules together quickly. We modularize our software, as the mechanics
of a system are modularized today. Easy to visualize with a few clicks.

Desc: SpiderControl PLC Editor Simatic suffers from an elevation of
privileges vulnerability which can be used by a simple user that can
change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'F' flag (Full) for
'Everyone' group, and 'C' flag (Change) for 'Authenticated Users' group
making the entire directory 'PLCEditorSimatic_6300400' and its files
and sub-dirs world-writable.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
 Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2015-5283
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5283.php


22.10.2015

--


C:\SpiderControl\PLCEditorSimatic_6300400>cacls PLCEditorSimatic.exe
C:\SpiderControl\PLCEditorSimatic_6300400\PLCEditorSimatic.exe Everyone:(ID)F
 BUILTIN\Administrators:(ID)F
 NT AUTHORITY\SYSTEM:(ID)F
 BUILTIN\Users:(ID)R
 NT AUTHORITY\Authenticated Users:(ID)C


C:\SpiderControl\PLCEditorSimatic_6300400>dir
 Volume in drive C is Windows
 Volume Serial Number is 56F3-8688

 Directory of C:\SpiderControl\PLCEditorSimatic_6300400

22/10/201510:10<DIR>.
22/10/201510:10<DIR>..
09/05/201214:03 379 fontconfig.txt
22/10/201510:10<DIR>HTML5Comp
22/10/201510:10<DIR>HWSpecific
24/06/201518:42 386,812 IMasterSimatic6_30_04.jar
22/10/201510:10<DIR>ImportNConvertComp
22/10/201510:10<DIR>MacroDlgComp
22/10/201510:10<DIR>MacroDlgRuntime
22/10/201510:10<DIR>MacroLib
22/10/201510:10<DIR>MacroLibTempFiles
26/04/200515:26 320 MsgBox.teq
22/10/201510:10<DIR>News_ReleaseNotes
06/06/201211:0681 PLCEditorExtraBatch.bat
11/01/201312:29 727 PLCEditorKey.spl
02/07/201522:58 7,997,440 PLCEditorSimatic.exe
26/11/201419:04 3,806 PLCPPOCheckCfgSimaticPLC.xml
02/07/201518:25 2,958,336 PLC_FontGenerator.exe
22/10/201510:10<DIR>Projects
17/06/201510:5834,275 PropWndDescript.xml
25/04/201416:55 104,254 s7api.jar
18/05/201512:2842,478 ScadaDescript.xml
10/01/201115:09 208 ScadaPPOList.csv
22/10/201510:10<DIR>SCUtils
09/02/201513:27 8,242 SimaticDefaultSpiderHWProfile.shp
01/07/201516:36 2,693,569 SimaticPLCHelp.chm
22/10/201510:30<DIR>SimulateRuntime
22/10/201510:10<DIR>SimulationComp
06/09/201211:1365,536 SpiderLink1.dll
06/09/201211:1365,536 SpiderLink2.dll
06/09/201211:1365,536 SpiderLink3.dll
06/09/201211:1365,536 SpiderLink4.dll
02/07/201518:26 265,216 SpiderObserver.dll
02/07/201518:25 269,824 SpiderOPCBrowser.dll
02/07/201523:42 483,328 SPSVarSelectorCsv.dll
02/07/201518:26 430,080 SPSVarSelectorTpy.dll
22/10/201510:10<DIR>SVGComp
22/10/201510:1086,988 unins000.dat
22/10/201510:10 736,929 unins000.exe
10/01/201115:0528 ZelsCfg.csv
22/10/201510:10<DIR>ZipComp
25 File(s) 16,765,464 bytes
16 Dir(s)77,686,059,008 bytes free

C:\SpiderControl\PLCEditorSimatic_6300400>cd ..

C:\SpiderControl>cacls PLCEditorSimatic_6300400
C:\SpiderControl\PLCEditorSimatic_6300400 Everyone:(OI)(CI)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C