Automated Logic WebCTRL 6.5 Insecure File Permissions Privilege Escalation

`  
Automated Logic WebCTRL 6.5 Insecure File Permissions Privilege Escalation  
  
  
Vendor: Automated Logic Corporation  
Product web page: http://www.automatedlogic.com  
Affected version: ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior  
ALC WebCTRL, SiteScan Web 6.1 and prior  
ALC WebCTRL, i-Vu 6.0 and prior  
ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior  
ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior  
  
Summary: WebCTRLA(r), Automated Logic's web-based building automation  
system, is known for its intuitive user interface and powerful integration  
capabilities. It allows building operators to optimize and manage  
all of their building systems - including HVAC, lighting, fire, elevators,  
and security - all within a single HVAC controls platform. It's everything  
they need to keep occupants comfortable, manage energy conservation measures,  
identify key operational problems, and validate the results.  
  
Desc: WebCTRL server/service suffers from an elevation of privileges vulnerability  
which can be used by a simple authenticated user that can change the executable  
file with a binary of choice. The vulnerability exist due to the improper permissions,  
with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.  
The application suffers from an unquoted search path issue as well impacting the service  
'WebCTRL Service' for Windows deployed as part of WebCTRL server solution. This could  
potentially allow an authorized but non-privileged local user to execute arbitrary  
code with elevated privileges on the system. A successful attempt would require the  
local user to be able to insert their code in the system root path undetected by the  
OS or other security applications where it could potentially be executed during  
application startup or reboot. If successful, the local useras code would execute  
with the elevated privileges of the application.  
  
Tested on: Microsoft Windows 7 Professional SP1 (EN)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2017-5429  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5429.php  
  
CVE ID: CVE-2017-9644  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9644  
  
  
30.01.2017  
  
---  
  
  
sc qc "WebCTRL Service"  
  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: Webctrl Service  
TYPE : 20 WIN32_SHARE_PROCESS   
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\WebCTRL6.0\WebCTRL Service.exe -run  
LOAD_ORDER_GROUP :   
TAG : 0  
DISPLAY_NAME : WebCTRL Service 6.0  
DEPENDENCIES :   
SERVICE_START_NAME : LocalSystem  
  
  
cacls "C:\WebCTRL6.0\WebCTRL Service.exe"  
  
C:\WebCTRL6.0\WebCTRL Service.exe  
BUILTIN\Administrators:(ID)F   
NT AUTHORITY\SYSTEM:(ID)F   
BUILTIN\Users:(ID)R   
NT AUTHORITY\Authenticated Users:(ID)C  
  
  
cacls "C:\WebCTRL6.0\WebCTRL Server.exe"  
  
C:\WebCTRL6.0\WebCTRL Server.exe  
BUILTIN\Administrators:(ID)F   
NT AUTHORITY\SYSTEM:(ID)F   
BUILTIN\Users:(ID)R   
NT AUTHORITY\Authenticated Users:(ID)C  
  
`