Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitpackLiquidWormEXPLOITPACK:97310E56DD1CFACFF5C28D49B1CAA91C
HistoryJun 13, 2018 - 12:00 a.m.

RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation

2018-06-1300:00:00
LiquidWorm
31

0.0005 Low

EPSS

Percentile

18.4%

JSON

RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation

# Title: RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation
# Date: 2017-12-11
# Author: LiquidWorm
# Vendor: Rockwell Automation, Inc.
# Product web page: https://www.rockwellautomation.com
# Affected version: Rockwell Automation RSLinx Classic 3.90.01
#                 Rockwell Automation RSLinx Classic 3.73.00
#                 Rockwell Automation RSLinx Classic 3.72.00
#                 Rockwell Automation RSLinx Classic 2.58.00
#                 Rockwell Automation FactoryTalk Linx Gateway 3.90.00
# CVE: CVE-2018-10619
# Tested on: Microsoft Windows 7 Professional SP1 (EN)

# Summary: 
# The FactoryTalk Linx Gateway adds a Classic OPC DA and OPC UA server
# interface to deliver information collected by FactoryTalk Linx from Logix5000โ„ข
# and other Allen-Bradleyยฎ controllers to external OPC clients, permitting
# third-party software to coexist with FactoryTalkยฎ software.

# PoC: 
The application suffers from an unquoted search path issue impacting
the service 'dnwhodisp' for Windows deployed as part of RSLinx and FactoryTalk.
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system. 

A successful attempt would require the local user to be able to insert their 
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot. If
successful, the local user's code would execute with the elevated privileges
of the application.

C:\>sc qc dnwhodisp
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: dnwhodisp
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Rockwell Software\RSLINX\dnwhodisp.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : dnWhoDisp
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

Related

cvelist 1
zeroscience 1
cve 1
prion 1
nessus 2
nvd 1
ics 1
packetstorm 1
zdt 1
exploitdb 1
cvelist
cvelist
CVE-2018-10619
2018-06-07 00:00:00
zeroscience
zeroscience
Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway Privilege Escalation
2018-06-10 00:00:00
cve
cve
CVE-2018-10619
2018-06-07 20:29:00
prion
prion
Code injection
2018-06-07 20:29:00
nessus
nessus
Rockwell (CVE-2018-10619) (deprecated)
2022-02-07 00:00:00
Rockwellautomation Rslinx Unquoted Search Path or Element
2019-11-08 00:00:00
nvd
nvd
CVE-2018-10619
2018-06-07 20:29:00
ics
ics
Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway
2018-06-07 12:00:00
packetstorm
packetstorm
Rockwell Automation RSLinx Classic / FactoryTalk Linx Gateway Privilege Escalation
2018-06-13 00:00:00
zdt
zdt
RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation Vulnerability
2018-06-15 00:00:00
exploitdb
exploitdb
RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation
2018-06-13 00:00:00

0.0005 Low

EPSS

Percentile

18.4%

JSON
Related for EXPLOITPACK:97310E56DD1CFACFF5C28D49B1CAA91C
cvelist1zeroscience1cve1prion1nessus2nvd1ics1packetstorm1zdt1exploitdb1