'[FD] =?utf-8?q?Schneider_Electric_Pro-Face_WinGP_=E2=80=93_Runtim?= =?utf-8?q?e=2Eexe_=E2=80=93_Inse'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] =?utf-8?q?Schneider_Electric_Pro-Face_WinGP_=E2=80=93_Runtim?= =?utf-8?q?e=2Eexe_=E2=80=93_Inse
From:       Karn Ganeshen <karnganeshen () gmail ! com>
Date:       2017-06-30 4:50:42
Message-ID: CAB8+WF1N6C3Ad+Kb2OT=-zDWc=doZhNnqbfTiFBCAZ5gf1MqDw () mail ! gmail ! com
[Download RAW message or body]

[ICS] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library
Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)

Advisory URL:
https://ipositivesecurity.com/2017/06/28/ics-schneider-electric-pro-face-wingp-insecure-library-loading-allows-code-execution/

------------------------

AFFECTED PRODUCTS

------------------------

Schneider Electric Pro-Face WinGP - Packaged version with GP Pro Server EX
-> current version

------------------------

ABOUT

------------------------

WinGP is a runtime engine, and is a component of Schneider Electric
Pro-Face GP Pro-Server EX. Pro-Face GP Pro-Server EX is premier HMI
Development Software that supports Dedicated and Open HMI (PC-based)
solutions.

https://www.proface.com/en/download/trial/gpproex/v40
http://www.pro-face.com/otasuke/download/trial/

------------------------

VULNERABLE VERSION

------------------------

Packaged version with GP Pro Server EX -> current version

------------------------

IMPACT

------------------------

Successful exploitation of this vulnerability could allow an authenticated
user to escalate his or her privileges.

------------------------

VULNERABILITY DETAILS

------------------------

This vulnerability allows attackers to execute arbitrary code on vulnerable
installations of Schneider Electric Pro-Face WinGP software. User
interaction is required to exploit this vulnerability in that the malicious
dll file should be saved in any of the DLL search paths.

The specific flaw exists within the handling of a specific named DLL file
used by Runtime.exe. By default, the program is installed in C:\Pro-Face\
and any authenticated local users have RWX access. By placing a specific
DLL/OCX file (listed below), an attacker is able to force the process to
load an arbitrary DLL. This allows an attacker to execute arbitrary code in
the context of the process when it is run.

------------------------

DLL File Names

------------------------

i2capi.dll

------------------------

Application Executables (that look for missing DLL/OCX)

------------------------

Runtime.exe

------------------------

Steps to reproduce

------------------------

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o i2capi.dll
2. Place this dll in install directory (or C:\Windows, or any directory
defined in the PATH environment variable)
C:\Pro-face\WinGP\
3. Run Runtime.exe -> calc.exe executes

+++++

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 