Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2016-5310
HistoryFeb 29, 2016 - 12:00 a.m.

Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions

2016-02-2900:00:00
Gjoko Krstic
zeroscience.mk
32

7.2 High

AI Score

Confidence

Low

JSON

Title: Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions
Advisory ID: ZSL-2016-5310
Type: Local/Remote
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 29.02.2016

Summary

em4 is more than just a nano-PLC. It is a leading edge device supported by best-in-class tools that enables you to create and implement the smartest automation applications. Millenium 3 (M3) is easy to program and to implement, it enables the control and monitoring of machines and automation installations with up to 50 I/O. It is positioned right at the heart of the Crouzet Automation range.

Description

em4 soft and M3 soft suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘C’ flag (Change) for ‘Everyone’ group.

Vendor

Crouzet Automatismes SAS - <http://www.crouzet-automation.com>

Affected Version

em4 soft (1.1.04 and 1.1.03.01)
M3 soft (3.1.2.0)

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vendor Status

[25.01.2016] Vulnerability discovered.
[03.02.2016] Vendor contacted.
[28.02.2016] No response from the vendor.
[29.02.2016] Public security advisory released.

PoC

crouzet_em4_m3_perms.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://cxsecurity.com/issue/WLB-2016030012&gt;
[2] <https://packetstormsecurity.com/files/136021&gt;
[3] <https://www.exploit-db.com/exploits/39510/&gt;
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/111165&gt;

Changelog

[29.02.2016] - Initial release
[01.03.2016] - Added reference [1], [2] and [3]
[03.03.2016] - Added reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions


Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: em4 soft (1.1.04 and 1.1.03.01)
                  M3 soft (3.1.2.0)

Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
Millenium 3 (M3) is easy to program and to implement, it enables
the control and monitoring of machines and automation installations
with up to 50 I/O. It is positioned right at the heart of the
Crouzet Automation range.

Desc: em4 soft and M3 soft suffers from an elevation of privileges
vulnerability which can be used by a simple authenticated user that can
change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'C' flag (Change) for
'Everyone' group.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5310
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5310.php


25.01.2016

--


C:\Program Files (x86)\Crouzet automation&gt;cacls "em4 soft"
C:\Program Files (x86)\Crouzet automation\em4 soft Everyone:(OI)(CI)C
                                                   NT SERVICE\TrustedInstaller:(ID)F
                                                   NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                                                   NT AUTHORITY\SYSTEM:(ID)F
                                                   NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                                   BUILTIN\Administrators:(ID)F
                                                   BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                                   BUILTIN\Users:(ID)R
                                                   BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
                                                                                 GENERIC_READ
                                                                                 GENERIC_EXECUTE

                                                   CREATOR OWNER:(OI)(CI)(IO)(ID)F


C:\Program Files (x86)\Crouzet automation&gt;cd "em4 soft"

C:\Program Files (x86)\Crouzet automation\em4 soft&gt;cacls *.exe
C:\Program Files (x86)\Crouzet automation\em4 soft\em4 soft.exe Everyone:(ID)C
                                                                NT AUTHORITY\SYSTEM:(ID)F
                                                                BUILTIN\Administrators:(ID)F
                                                                BUILTIN\Users:(ID)R

C:\Program Files (x86)\Crouzet automation\em4 soft\unins000.exe Everyone:(ID)C
                                                                NT AUTHORITY\SYSTEM:(ID)F
                                                                BUILTIN\Administrators:(ID)F
                                                                BUILTIN\Users:(ID)R


C:\Program Files (x86)\Crouzet automation\em4 soft&gt;


================================================================================================


C:\Program Files (x86)\Crouzet Automatismes&gt;cacls "Millenium 3"
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3 Everyone:(OI)(CI)C
                                                        NT SERVICE\TrustedInstaller:(ID)F
                                                        NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                                                        NT AUTHORITY\SYSTEM:(ID)F
                                                        NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                                        BUILTIN\Administrators:(ID)F
                                                        BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                                        BUILTIN\Users:(ID)R
                                                        BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
                                                                                      GENERIC_READ
                                                                                      GENERIC_EXECUTE

                                                        CREATOR OWNER:(OI)(CI)(IO)(ID)F


C:\Program Files (x86)\Crouzet Automatismes&gt;cd "Millenium 3"

C:\Program Files (x86)\Crouzet Automatismes\Millenium 3&gt;cacls *.exe
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\M3 soft.exe Everyone:(ID)C
                                                                    NT AUTHORITY\SYSTEM:(ID)F
                                                                    BUILTIN\Administrators:(ID)F
                                                                    BUILTIN\Users:(ID)R

C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\unins000.exe Everyone:(ID)C
                                                                     NT AUTHORITY\SYSTEM:(ID)F
                                                                     BUILTIN\Administrators:(ID)F
                                                                     BUILTIN\Users:(ID)R


C:\Program Files (x86)\Crouzet Automatismes\Millenium 3&gt;
</p></body></html>

7.2 High

AI Score

Confidence

Low

JSON