Lucene search

K
talosTalos IntelligenceTALOS-2020-1167
HistoryFeb 19, 2021 - 12:00 a.m.

Sytech XL reporter installation privilege escalation vulnerability

2021-02-1900:00:00
Talos Intelligence
www.talosintelligence.com
61
sytech xl reporter
v14.0.1
privilege escalation
install directory
file permissions
vulnerability
vendor disclosure
vendor patched
public release

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0

Percentile

5.1%

Summary

An exploitable local privilege elevation vulnerability exists in the file system permissions of Sytech XL Reporter v14.0.1 install directory. Depending on the vector chosen, an attacker can overwrite service executables and execute arbitrary code with privileges of user set to run the service or replace other files within the installation folder, which would allow for local privilege escalation.

Tested Versions

Sytech XL Reporter v14.0.1

Product URLs

<https://www.sytech.com/product-xlreporter-overview.asp&gt;

CVSSv3 Score

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-276 - Incorrect Default Permissions

Details

XL Reporter is an industrial visualization and reporting software parsing data from PLC, HDA, OPC and historian systems.

By default, XL Reporter v14 is installed in “C:\XLReporter" directory and it allows “Authenticated Users” as well as “Everyone” group to have “Full/Change” privilege over “XLReporter Runtime” service binary file in the directory which are executed with NT SYSTEM authority. This allows users in both groups to read, write or modify arbitrary files in the install directory resulting in privilege escalation when service is restarted.

C:\XLReporter\bin\XLRiRuntime.exe 
                              Everyone:(ID)F
                              BUILTIN\Administrators:(ID)F
                              NT AUTHORITY\SYSTEM:(ID)F
                              BUILTIN\Users:(ID)R
                              NT AUTHORITY\Authenticated Users:(ID)C

Timeline

2020-10-20 - Vendor Disclosure

2021-02-18 - Vendor Patched
2021-02-19 - Public Release

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0

Percentile

5.1%

Related for TALOS-2020-1167