Title: Operation Technology ETAP 14.1.0 Local Privilege Escalation
Advisory ID: ZSL-2016-5323
Type: Local
Impact: Privilege Escalation
Risk: (3/5)
Release Date: 22.05.2016

Summary

Enterprise Software Solution for Electrical Power Systems. ETAP is the most comprehensive electrical engineering software platform for the design, simulation, operation, and automation of generation, transmission, distribution, and industrial systems. As a fully integrated model-driven enterprise solution, ETAP extends from modeling to operation to offer a Real-Time Power Management System.

Description

ETAP suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Authenticated Users' group.

Vendor

Operation Technology, Inc. - http://www.etap.com

Affected Version

14.1.0.0

Tested On

Microsfot Windows 7 Professional SP1 (EN) x86_64
Microsoft Windows 7 Ultimate SP1 (EN) x86_64

Vendor Status

[07.04.2016] Vulnerabilities discovered.
[11.04.2016] Vendor contacted.
[21.05.2016] No response from the vendor.
[22.05.2016] Public security advisory released.

PoC

etap_eop.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://cxsecurity.com/issue/WLB-2016050108
[2] https://www.exploit-db.com/exploits/39845/
[3] https://packetstormsecurity.com/files/137144
[4] http://www.vfocus.net/art/20160524/12703.html
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/113435

Changelog

[22.05.2016] - Initial release
[23.05.2016] - Added reference [1], [2] and [3]
[25.05.2016] - Added reference [4]
[27.05.2016] - Added reference [5]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk