what you don't know can hurt you

iniNet SpiderControl PLC Editor Simatic 6.30.04 Privilege Escalation

iniNet SpiderControl PLC Editor Simatic 6.30.04 Privilege Escalation
Posted Dec 7, 2015
Authored by LiquidWorm | Site zeroscience.mk

SpiderControl PLC Editor Simatic suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, and 'C' flag (Change) for 'Authenticated Users' group making the entire directory 'PLCEditorSimatic_6300400' and its files and sub-dirs world-writable. Version 6.30.04 is affected.

tags | exploit
MD5 | 123e700828414ac291d05305a73de48f

iniNet SpiderControl PLC Editor Simatic 6.30.04 Privilege Escalation

Change Mirror Download

iniNet SpiderControl PLC Editor Simatic 6.30.04 Insecure File Permissions


Vendor: iniNet Solutions GmbH
Product web page: http://www.spidercontrol.net
Affected version: 6.30.04 (Build 6300400)

Summary: Modular and automated engineering is provided for HMI and
SCADA. The tools are developed to join a large range of engineering
modules together quickly. We modularize our software, as the mechanics
of a system are modularized today. Easy to visualize with a few clicks.

Desc: SpiderControl PLC Editor Simatic suffers from an elevation of
privileges vulnerability which can be used by a simple user that can
change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'F' flag (Full) for
'Everyone' group, and 'C' flag (Change) for 'Authenticated Users' group
making the entire directory 'PLCEditorSimatic_6300400' and its files
and sub-dirs world-writable.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2015-5283
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5283.php


22.10.2015

--


C:\SpiderControl\PLCEditorSimatic_6300400>cacls PLCEditorSimatic.exe
C:\SpiderControl\PLCEditorSimatic_6300400\PLCEditorSimatic.exe Everyone:(ID)F
BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C


C:\SpiderControl\PLCEditorSimatic_6300400>dir
Volume in drive C is Windows
Volume Serial Number is 56F3-8688

Directory of C:\SpiderControl\PLCEditorSimatic_6300400

22/10/2015 10:10 <DIR> .
22/10/2015 10:10 <DIR> ..
09/05/2012 14:03 379 fontconfig.txt
22/10/2015 10:10 <DIR> HTML5Comp
22/10/2015 10:10 <DIR> HWSpecific
24/06/2015 18:42 386,812 IMasterSimatic6_30_04.jar
22/10/2015 10:10 <DIR> ImportNConvertComp
22/10/2015 10:10 <DIR> MacroDlgComp
22/10/2015 10:10 <DIR> MacroDlgRuntime
22/10/2015 10:10 <DIR> MacroLib
22/10/2015 10:10 <DIR> MacroLibTempFiles
26/04/2005 15:26 320 MsgBox.teq
22/10/2015 10:10 <DIR> News_ReleaseNotes
06/06/2012 11:06 81 PLCEditorExtraBatch.bat
11/01/2013 12:29 727 PLCEditorKey.spl
02/07/2015 22:58 7,997,440 PLCEditorSimatic.exe
26/11/2014 19:04 3,806 PLCPPOCheckCfgSimaticPLC.xml
02/07/2015 18:25 2,958,336 PLC_FontGenerator.exe
22/10/2015 10:10 <DIR> Projects
17/06/2015 10:58 34,275 PropWndDescript.xml
25/04/2014 16:55 104,254 s7api.jar
18/05/2015 12:28 42,478 ScadaDescript.xml
10/01/2011 15:09 208 ScadaPPOList.csv
22/10/2015 10:10 <DIR> SCUtils
09/02/2015 13:27 8,242 SimaticDefaultSpiderHWProfile.shp
01/07/2015 16:36 2,693,569 SimaticPLCHelp.chm
22/10/2015 10:30 <DIR> SimulateRuntime
22/10/2015 10:10 <DIR> SimulationComp
06/09/2012 11:13 65,536 SpiderLink1.dll
06/09/2012 11:13 65,536 SpiderLink2.dll
06/09/2012 11:13 65,536 SpiderLink3.dll
06/09/2012 11:13 65,536 SpiderLink4.dll
02/07/2015 18:26 265,216 SpiderObserver.dll
02/07/2015 18:25 269,824 SpiderOPCBrowser.dll
02/07/2015 23:42 483,328 SPSVarSelectorCsv.dll
02/07/2015 18:26 430,080 SPSVarSelectorTpy.dll
22/10/2015 10:10 <DIR> SVGComp
22/10/2015 10:10 86,988 unins000.dat
22/10/2015 10:10 736,929 unins000.exe
10/01/2011 15:05 28 ZelsCfg.csv
22/10/2015 10:10 <DIR> ZipComp
25 File(s) 16,765,464 bytes
16 Dir(s) 77,686,059,008 bytes free

C:\SpiderControl\PLCEditorSimatic_6300400>cd ..

C:\SpiderControl>cacls PLCEditorSimatic_6300400
C:\SpiderControl\PLCEditorSimatic_6300400 Everyone:(OI)(CI)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    2 Files
  • 2
    Mar 2nd
    18 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    12 Files
  • 5
    Mar 5th
    19 Files
  • 6
    Mar 6th
    8 Files
  • 7
    Mar 7th
    1 Files
  • 8
    Mar 8th
    1 Files
  • 9
    Mar 9th
    11 Files
  • 10
    Mar 10th
    15 Files
  • 11
    Mar 11th
    9 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    13 Files
  • 14
    Mar 14th
    10 Files
  • 15
    Mar 15th
    13 Files
  • 16
    Mar 16th
    27 Files
  • 17
    Mar 17th
    15 Files
  • 18
    Mar 18th
    23 Files
  • 19
    Mar 19th
    25 Files
  • 20
    Mar 20th
    10 Files
  • 21
    Mar 21st
    6 Files
  • 22
    Mar 22nd
    1 Files
  • 23
    Mar 23rd
    22 Files
  • 24
    Mar 24th
    15 Files
  • 25
    Mar 25th
    22 Files
  • 26
    Mar 26th
    20 Files
  • 27
    Mar 27th
    15 Files
  • 28
    Mar 28th
    10 Files
  • 29
    Mar 29th
    1 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close