GEOVAP Reliance 4 Control Server Unquoted Service Path Elevation Of Privilege


Vendor: GEOVAP, spol. s r.o.
Product web page: http://www.geovap.cz
                  http://www.reliance.cz
                  http://www.reliance-scada.com
Affected version: 4.7.1 (Revision 25172)

Summary: Reliance is a professional SCADA/HMI system designed for the
visualization and control of industrial processes and for building automation.

Desc: The application suffers from an unquoted search path issue impacting the
service 'RelianceOpcDaWrapper' for Windows deployed as part of Reliance 4 SCADA/HMI
system installer including Reliance OPC Server. This could potentially allow an
authorized but non-privileged local user to execute arbitrary code with elevated
privileges on the system. A successful attempt would require the local user to be
able to insert their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during application
startup or reboot. If successful, the local user’s code would execute with the
elevated privileges of the application.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5285
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5285.php


14.10.2015

--


C:\Users\kungpow>sc qc RelianceOpcDaWrapper
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: RelianceOpcDaWrapper
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\GEOVAP\RelianceOPCServer\OpcDaWrapper.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Reliance OPC DA Server Wrapper
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem