Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation

🗓️ 13 Feb 2017 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 69 Views

Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation affects Windows

Code
`  
Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation  
  
  
Vendor: Cimetrics, Inc.  
Product web page: https://www.cimetrics.com  
Affected version: 6.2f  
  
Summary: BACstac belongs to product BACstac(TM) Networking Software and  
was developed by company Cimetrics Inc. Cimetrics is excited to announce  
a new version of our industry-leading BACnet protocol stack: BACstac 6.8.  
The Cimetrics BACstac saves man-years of development when your company needs  
to create a BACnet solution ! Our software team has created a set of BACnet  
libraries which greatly simplify the task of interfacing to BACnet.  
  
Even the largest companies in the HVAC industry use our code because it is  
a very complex and time consuming task keeping up with the ongoing changes  
that are taking place in the BACnet committees. For example, many hundreds  
of protocol modifications, requirements, and enhancements have taken place  
in just the past year. By purchasing the Cimetrics BACstac solution, we do  
the compatibility coding and testing. This typically saves man-years of  
software developer time EVERY YEAR !  
  
Desc: The application suffers from an unquoted search path issue impacting  
the service 'bacstac' (bacstac-gtw.exe) for Windows deployed as part of BACstac  
routing service solution. This could potentially allow an authorized but non-privileged  
local user to execute arbitrary code with elevated privileges on the system.  
A successful attempt would require the local user to be able to insert their  
code in the system root path undetected by the OS or other security applications  
where it could potentially be executed during application startup or reboot.  
If successful, the local users code would execute with the elevated privileges  
of the application.  
  
BACstac also provides a named pipe used for IPC connection between a BACstac  
application and the BACstac service.  
  
The BACstac Service implements AL multiplexing using a custom IPC mechanism. The  
IPC mechanism was chosen to allow portability to embedded systems, and it uses a  
fixed number of slots. The slots are recycled when an application stops running.  
  
With Object-based multiplexing, Service requests that identify a particular Object  
(e.g. Read-Property) can be forwarded to a dedicated process. A multiplexing server  
using an appropriate IPC mechanism (e.g. CORBA, COM, or UDP) can be built on top of  
the BACstac API.  
  
A number of BACstac protocol stack run-time configuration parameters are stored  
in the Windows Registry. These values are created and initialized when the protocol  
stack is installed. The registry entries are not completely removed when the protocol  
stack is uninstalled (this is standard behaviour for .INF files). The Registry  
entries are located in:  
  
HKEY_LOCAL_MACHINE\SOFTWARE\Cimetrics\BACstac  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BACstac  
  
The BACstac Service parameters (in ..\Services\BACstac) include plenty of keys,  
one of which is the 'Tsml\ConnIpc' key with the default name: \\.\pipe\bacstac.  
  
The vulnerability exist due to the improper permissions, with the 'F' flag (Full)  
for 'Everyone' group.  
  
Tested on: Microsoft Windows 7 Professional SP1 (EN)  
Microsoft Windows 7 Ultimate SP1 (EN)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2017-5397  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5397.php  
  
  
13.12.2016  
  
--  
  
  
C:\>sc qc bacstac  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: bacstac  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files (x86)\Cimetrics\BACstac v6.2f\bacstac-gtw.exe  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : BACstac Protocol  
DEPENDENCIES :  
SERVICE_START_NAME : LocalSystem  
  
C:\>  
C:\>accesschk.exe \pipe\bacstac  
  
Accesschk v6.02 - Reports effective permissions for securable objects  
Copyright (C) 2006-2016 Mark Russinovich  
Sysinternals - www.sysinternals.com  
  
\\.\Pipe\bacstac  
RW Everyone  
  
C:\>  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Feb 2017 00:00Current
cimetricsbacstac routing servicelocal privilege escalationwindows 7registryipc mechanism
69