Talos IntelligenceTALOS-2021-1384Dream Report ODS Remote Connector privilege escalation vulnerability
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.3 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
0.0005 Low
EPSS
Percentile
17.8%
Summary
A privilege escalation vulnerability exists in the Remote Server functionality of Dream Report ODS Remote Connector 20.2.16900.0. A specially-crafted command injection can lead to elevated capabilities. An attacker can provide a malicious file to trigger this vulnerability.
Tested Versions
Dream Report ODS Remote Connector 20.2.16900.0
Product URLs
CVSSv3 Score
8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-276 - Incorrect Default Permissions
Details
Dream Report is an automation platform designed to facilitate collection and parsing of real-time information between various devices in industrial environments.
The service βRTM Reporting System Runtime Managerβ is installed during stand-alone installation of ODS Remote Connector and starts with the following command (with high integrity):
c:\program files (x86)\ods\remote connector\system\rtm.exe" -control -runMode svc
After above command line is executed, another binary is also started and runs throughout lifecycle of the main service process:
"C:\Program Files (x86)\ODS\Remote Connector\System\Rdxa.exe"
RTM Reporting System Runtime Manager allows any user on the system to replace a binary located in the default installation folder, as seen below, to execute code with privilege of NT SYSTEM with high integrity:
c:\program files (x86)\ods\remote connector\system\Rtm.exe:
BUILTIN\Administrators:(ID)F
Everyone:(ID)F
C:\Program Files (x86)\ODS\Remote Connector\System\Rdxa.exe:
BUILTIN\Administrators:(ID)F
Everyone:(ID)F
In addition, due to permission weaknesses, other components such as DLL libraries, used by any of the applications above, can be used to sideload code from the following folder:
C:\Program Files (x86)\ODS\Remote Connector\System
These can be, for example:
BatchManager.dll
ChangeManager.dll
FontManagerDll.dll
Note that initial exploitation would result in access to the same privilege as a default virtual service user nt service\rtm reporting system runtime manager. A full exploitation chain would need to take advantage of the SeImpersonatePrivilege privilege assigned to the RTM Reporting System Runtime Manager service to achieve reliable execution with NT SYSTEM privilage.
Vendor Response
Fixed in Dream Report Remote Connector 20.2.16900.1011
Timeline
2021-10-05 - Vendor Disclosure
2021-12-02 - Vendor patched
2021-12-06 - Public Release
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.3 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
0.0005 Low
EPSS
Percentile
17.8%