Soyal Technologies SOYAL 701Server 9.0.1 suffers from an elevation of privileges vulnerability which can be used by an authenticated user to change the executable file with a binary choice. The vulnerability is due to improper permissions with the 'F' flag (Full) for 'Everyone'and 'Authenticated Users' group.
{"zeroscience": [{"lastseen": "2021-12-10T07:47:30", "description": "Title: SOYAL 701Server 9.0.1 Insecure Permissions \nAdvisory ID: [ZSL-2021-5633](<ZSL-2021-5633.php>) \nType: Local \nImpact: Privilege Escalation \nRisk: (3/5) \nRelease Date: 18.03.2021 \n\n\n##### Summary\n\n701 Server is the program used to set up and configure LAN and IP based access control systems, from the COM port used to the quantity and type of controllers connected. It is also used for programming some of the more complex controllers such as the AR-716E and the AR-829E. \n\n##### Description\n\nThe application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' and 'Authenticated Users' group. \n\n##### Vendor\n\nSOYAL Technology Co., Ltd - <https://www.soyal.com>\n\n##### Affected Version\n\n9.0.1 190322 \n8.0.6 181227 \n\n##### Tested On\n\nMicrosoft Windows 10 Enterprise \n\n##### Vendor Status\n\n[25.01.2021] Vulnerability discovered. \n[03.02.2021] Vendor contacted. \n[08.02.2021] No response from the vendor. \n[09.02.2021] Distributor responds and informs vendor. \n[09.02.2021] Sent details to distributor. \n[10.02.2021] Asked distributor for status update. \n[11.02.2021] Vendor will patch the issue. \n[18.03.2021] Public security advisory released. \n\n##### PoC\n\n[soyal_701serverperms.txt](<../../codes/soyal_701serverperms.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://packetstormsecurity.com/files/161877/> \n[2] <https://www.exploit-db.com/exploits/49678> \n[3] <https://cxsecurity.com/issue/WLB-2021030142> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/198550> \n[5] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28271> \n[6] <https://nvd.nist.gov/vuln/detail/CVE-2021-28271>\n\n##### Changelog\n\n[18.03.2021] - Initial release \n[23.03.2021] - Added reference [1], [2], [3] and [4] \n[19.06.2021] - Added reference [5] and [6] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <https://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-18T00:00:00", "type": "zeroscience", "title": "SOYAL 701Server 9.0.1 Insecure Permissions", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28271"], "modified": "2021-03-18T00:00:00", "id": "ZSL-2021-5633", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2021-5633.php", "sourceData": "<html><body><p>SOYAL 701Server 9.0.1 Insecure Permissions\r\n\r\n\r\nVendor: SOYAL Technology Co., Ltd\r\nProduct web page: https://www.soyal.com.tw | https://www.soyal.com\r\nAffected version: 9.0.1 190322\r\n 8.0.6 181227\r\n\r\nSummary: 701 Server is the program used to set up and configure LAN\r\nand IP based access control systems, from the COM port used to the\r\nquantity and type of controllers connected. It is also used for\r\nprogramming some of the more complex controllers such as the AR-716E\r\nand the AR-829E.\r\n\r\nDesc: The application suffers from an elevation of privileges vulnerability\r\nwhich can be used by a simple authenticated user that can change the\r\nexecutable file with a binary of choice. The vulnerability exist due\r\nto the improper permissions, with the 'F' flag (Full) for 'Everyone'\r\nand 'Authenticated Users' group.\r\n\r\nTested on: Microsoft Windows 10 Enterprise\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2021-5633\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5633.php\r\n\r\n\r\n25.01.2021\r\n\r\n--\r\n\r\n\r\nC:\\Program Files (x86)\\701Server>cacls McuServer.exe\r\nC:\\Program Files (x86)\\701Server\\McuServer.exe Everyone:F\r\n NT AUTHORITY\\Authenticated Users:(ID)F\r\n NT AUTHORITY\\SYSTEM:(ID)F\r\n BUILTIN\\Administrators:(ID)F\r\n BUILTIN\\Users:(ID)R\r\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(ID)R\r\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(ID)R\r\n\r\nC:\\Program Files (x86)\\701Server>\r\n</p></body></html>", "sourceHref": "http://zeroscience.mk/codes/soyal_701serverperms.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
CVE-2021-28271
