what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation

Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation
Posted Feb 13, 2017
Authored by LiquidWorm | Site zeroscience.mk

Cimetrics BACstac Routing Service version 6.2f suffers from a local privilege escalation vulnerability.

tags | exploit, local
SHA-256 | c1f44a76146170d4377f77099ef6a598df8c3f4d4c9cb90eef79becd71bc619e

Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation

Change Mirror Download

Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation

Vendor: Cimetrics, Inc.
Product web page: https://www.cimetrics.com
Affected version: 6.2f

Summary: BACstac belongs to product BACstac(TM) Networking Software and
was developed by company Cimetrics Inc. Cimetrics is excited to announce
a new version of our industry-leading BACnet protocol stack: BACstac 6.8.
The Cimetrics BACstac saves man-years of development when your company needs
to create a BACnet solution ! Our software team has created a set of BACnet
libraries which greatly simplify the task of interfacing to BACnet.

Even the largest companies in the HVAC industry use our code because it is
a very complex and time consuming task keeping up with the ongoing changes
that are taking place in the BACnet committees. For example, many hundreds
of protocol modifications, requirements, and enhancements have taken place
in just the past year. By purchasing the Cimetrics BACstac solution, we do
the compatibility coding and testing. This typically saves man-years of
software developer time EVERY YEAR !

Desc: The application suffers from an unquoted search path issue impacting
the service 'bacstac' (bacstac-gtw.exe) for Windows deployed as part of BACstac
routing service solution. This could potentially allow an authorized but non-privileged
local user to execute arbitrary code with elevated privileges on the system.
A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local users code would execute with the elevated privileges
of the application.

BACstac also provides a named pipe used for IPC connection between a BACstac
application and the BACstac service.

The BACstac Service implements AL multiplexing using a custom IPC mechanism. The
IPC mechanism was chosen to allow portability to embedded systems, and it uses a
fixed number of slots. The slots are recycled when an application stops running.

With Object-based multiplexing, Service requests that identify a particular Object
(e.g. Read-Property) can be forwarded to a dedicated process. A multiplexing server
using an appropriate IPC mechanism (e.g. CORBA, COM, or UDP) can be built on top of
the BACstac API.

A number of BACstac protocol stack run-time configuration parameters are stored
in the Windows Registry. These values are created and initialized when the protocol
stack is installed. The registry entries are not completely removed when the protocol
stack is uninstalled (this is standard behaviour for .INF files). The Registry
entries are located in:


The BACstac Service parameters (in ..\Services\BACstac) include plenty of keys,
one of which is the 'Tsml\ConnIpc' key with the default name: \\.\pipe\bacstac.

The vulnerability exist due to the improper permissions, with the 'F' flag (Full)
for 'Everyone' group.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2017-5397
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5397.php



C:\>sc qc bacstac
[SC] QueryServiceConfig SUCCESS

BINARY_PATH_NAME : C:\Program Files (x86)\Cimetrics\BACstac v6.2f\bacstac-gtw.exe
TAG : 0
DISPLAY_NAME : BACstac Protocol

C:\>accesschk.exe \pipe\bacstac

Accesschk v6.02 - Reports effective permissions for securable objects
Copyright (C) 2006-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

RW Everyone

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By