WEG SuperDrive G2 v12.0.0 Insecure File Permissions
Title: WEG SuperDrive G2 v12.0.0 Insecure File Permissions
Advisory ID: ZSL-2016-5294
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 16.01.2016
SuperDrive (v7.0.0)
Microsoft Windows 7 Professional SP1 (EN)
Java 1.8.0_60
[05.12.2015] Vendor contacted.
[15.01.2016] No response from the vendor.
[16.01.2016] Public security advisory released.
[2] https://www.exploit-db.com/exploits/39260/
[3] https://packetstormsecurity.com/files/135306
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/109736
[17.01.2016] - Added reference [1]
[18.01.2016] - Added reference [2]
[19.01.2016] - Added reference [3]
[21.01.2016] - Added reference [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5294
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 16.01.2016
Summary
SuperDrive is a Windows graph tool for parameter setting, control and monitor of WEG Drives. It permits to edit directly in the drive online parameters, or to edit offline parameter files stored in the microcomputer. It enables you to store parameters of all drives that exist in the installation. The software also incorporates functions enable the upload to the drive of the microcomputer parameters sets as well as the download from the drive to the microcomputer. The communication between drive and microcomputer is realized via RS232 serial interface (point to point) or by RS485 for network linkage.Description
SuperDrive suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Authenticated Users' group.Vendor
WEG Group - http://www.weg.netAffected Version
SuperDrive G2 (v12.0.0 Build 20150930-J1.8.0_60-NB8.0.2)SuperDrive (v7.0.0)
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Microsoft Windows 7 Professional SP1 (EN)
Java 1.8.0_60
Vendor Status
[25.11.2015] Vulnerability discovered.[05.12.2015] Vendor contacted.
[15.01.2016] No response from the vendor.
[16.01.2016] Public security advisory released.
PoC
superdrive_eop.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2016010101[2] https://www.exploit-db.com/exploits/39260/
[3] https://packetstormsecurity.com/files/135306
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/109736
Changelog
[16.01.2016] - Initial release[17.01.2016] - Added reference [1]
[18.01.2016] - Added reference [2]
[19.01.2016] - Added reference [3]
[21.01.2016] - Added reference [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk