iniNet SpiderControl PLC Editor Simatic 6.30.04 Insecure File Permissions
Title: iniNet SpiderControl PLC Editor Simatic 6.30.04 Insecure File Permissions
Advisory ID: ZSL-2015-5283
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 06.12.2015
Microsoft Windows 7 Ultimate SP1 (EN)
[11.11.2015] Vendor contacted.
[11.11.2015] Vendor responds asking more details.
[11.11.2015] Sent details to the vendor.
[15.11.2015] Asked vendor for status update.
[16.11.2015] Vendor states issues have no impact for customers because they use it in their protected environment.
[06.12.2015] Public security advisory released.
[2] https://cxsecurity.com/issue/WLB-2015120052
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/108568
[4] https://www.exploit-db.com/exploits/38904/
[08.12.2015] - Added reference [1], [2], [3] and [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5283
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 06.12.2015
Summary
Modular and automated engineering is provided for HMI and SCADA. The tools are developed to join a large range of engineering modules together quickly. We modularize our software, as the mechanics of a system are modularized today. Easy to visualize with a few clicks.Description
SpiderControl PLC Editor Simatic suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, and 'C' flag (Change) for 'Authenticated Users' group making the entire directory 'PLCEditorSimatic_6300400' and its files and sub-dirs world-writable.Vendor
iniNet Solutions GmbH - http://www.spidercontrol.netAffected Version
6.30.04 (Build 6300400)Tested On
Microsoft Windows 7 Professional SP1 (EN)Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[22.10.2015] Vulnerability discovered.[11.11.2015] Vendor contacted.
[11.11.2015] Vendor responds asking more details.
[11.11.2015] Sent details to the vendor.
[15.11.2015] Asked vendor for status update.
[16.11.2015] Vendor states issues have no impact for customers because they use it in their protected environment.
[06.12.2015] Public security advisory released.
PoC
ininetscpes_insecureperm.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/134666[2] https://cxsecurity.com/issue/WLB-2015120052
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/108568
[4] https://www.exploit-db.com/exploits/38904/
Changelog
[06.12.2015] - Initial release[08.12.2015] - Added reference [1], [2], [3] and [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk