Ross Video DashBoard 8.5.1 - Insecure Permissions

ID EDB-ID:46742
Type exploitdb
Reporter Exploit-DB
Modified 2019-04-23T00:00:00


                                            Ross Video DashBoard 8.5.1 Insecure Permissions

Vendor: Ross Video Ltd.
Product web page:
Affected version: 8.5.1

Summary: DashBoard is a free and open platform from Ross Video for facility
control and monitoring that enables users to quickly build unique, tailored
Custom Panels that make complex operations simple.

Desc: DashBoard suffers from an elevation of privileges vulnerability which
can be used by a simple authenticated user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper permissions,
with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.

Tested on: Microsoft Windows 7 Professional SP1 (EN)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2019-5516
Advisory URL:



C:\DashBoard>icacls DashBoard.exe && cacls DashBoard.exe
DashBoard.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              NT AUTHORITY\Authenticated Users:(I)(M)

Successfully processed 1 files; Failed processing 0 files
C:\DashBoard\DashBoard.exe BUILTIN\Administrators:(ID)F
                           NT AUTHORITY\SYSTEM:(ID)F
                           NT AUTHORITY\Authenticated Users:(ID)C