106 lines
No EOL
4 KiB
Text
106 lines
No EOL
4 KiB
Text
Schneider Electric Pelco VideoXpert Privilege Escalations
|
||
|
||
|
||
Vendor: Schneider Electric SE
|
||
Product web page: https://www.pelco.com
|
||
Affected version: Core Software 1.12.105
|
||
Media Gateway Software 1.12.26
|
||
Exports 1.12
|
||
|
||
|
||
Summary: VideoXpert is a video management solution designed for
|
||
scalability, fitting the needs surveillance operations of any size.
|
||
VideoXpert Ultimate can also aggregate other VideoXpert systems,
|
||
tying multiple video management systems into a single interface.
|
||
|
||
Desc: The application is vulnerable to an elevation of privileges
|
||
vulnerability which can be used by a simple user that can change
|
||
the executable file with a binary of choice. The vulnerability exist
|
||
due to the improper permissions, with the 'F' flag (full) for the
|
||
'Users' group, for several binary files. The service is installed
|
||
by default to start on system boot with LocalSystem privileges.
|
||
Attackers can replace the binary with their rootkit, and on reboot
|
||
they get SYSTEM privileges.
|
||
|
||
VideoXpert services also suffer from an unquoted search path issue
|
||
impacting the 'VideoXpert Core' and 'VideoXpert Exports' services
|
||
for Windows deployed as part of the VideoXpert Setup bundle. This
|
||
could potentially allow an authorized but non-privileged local user
|
||
to execute arbitrary code with elevated privileges on the system. A
|
||
successful attempt would require the local user to be able to insert
|
||
their code in the system root path undetected by the OS or other security
|
||
applications where it could potentially be executed during application
|
||
startup or reboot. If successful, the local user’s code would execute
|
||
with the elevated privileges of the application.
|
||
|
||
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
||
|
||
|
||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||
@zeroscience
|
||
|
||
|
||
Advisory ID: ZSL-2017-5418
|
||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5418.php
|
||
|
||
|
||
05.04.2017
|
||
|
||
--
|
||
|
||
|
||
C:\Program Files\Pelco\Core>sc qc "VideoXpert Core"
|
||
[SC] QueryServiceConfig SUCCESS
|
||
|
||
SERVICE_NAME: VideoXpert Core
|
||
TYPE : 10 WIN32_OWN_PROCESS
|
||
START_TYPE : 2 AUTO_START (DELAYED)
|
||
ERROR_CONTROL : 1 NORMAL
|
||
BINARY_PATH_NAME : C:\Program Files\Pelco\Core\tools\nssm.exe
|
||
LOAD_ORDER_GROUP :
|
||
TAG : 0
|
||
DISPLAY_NAME : VideoXpert Core
|
||
DEPENDENCIES :
|
||
SERVICE_START_NAME : LocalSystem
|
||
|
||
|
||
C:\>cacls "C:\Program Files\Pelco\Core\tools\nssm.exe"
|
||
C:\Program Files\Pelco\Core\tools\nssm.exe NT AUTHORITY\SYSTEM:(ID)F
|
||
BUILTIN\Administrators:(ID)F
|
||
BUILTIN\Users:(ID)R
|
||
|
||
|
||
C:\ProgramData\Pelco\Core\db\bin>cacls * |findstr "Users:(ID)F"
|
||
C:\ProgramData\Pelco\Core\db\bin\libeay32.dll BUILTIN\Users:(ID)F
|
||
C:\ProgramData\Pelco\Core\db\bin\mongod.exe BUILTIN\Users:(ID)F
|
||
C:\ProgramData\Pelco\Core\db\bin\mongos.exe BUILTIN\Users:(ID)F
|
||
C:\ProgramData\Pelco\Core\db\bin\nssm.exe BUILTIN\Users:(ID)F
|
||
C:\ProgramData\Pelco\Core\db\bin\ssleay32.dll BUILTIN\Users:(ID)F
|
||
|
||
|
||
C:\>cacls "C:\ProgramData\Pelco\Exports\bin\nssm.exe"
|
||
C:\ProgramData\Pelco\Exports\bin\nssm.exe BUILTIN\Users:(ID)F
|
||
NT AUTHORITY\SYSTEM:(ID)F
|
||
BUILTIN\Administrators:(ID)F
|
||
|
||
|
||
C:\>cacls "C:\ProgramData\Pelco\Gateway\bin\nssm.exe"
|
||
C:\ProgramData\Pelco\Gateway\bin\nssm.exe BUILTIN\Users:(ID)F
|
||
NT AUTHORITY\SYSTEM:(ID)F
|
||
BUILTIN\Administrators:(ID)F
|
||
|
||
|
||
|
||
C:\Users\senad>sc qc "VideoXpert Exports"
|
||
[SC] QueryServiceConfig SUCCESS
|
||
|
||
SERVICE_NAME: VideoXpert Exports
|
||
TYPE : 10 WIN32_OWN_PROCESS
|
||
START_TYPE : 2 AUTO_START
|
||
ERROR_CONTROL : 1 NORMAL
|
||
BINARY_PATH_NAME : C:\ProgramData\Pelco\Exports\bin\nssm.exe
|
||
LOAD_ORDER_GROUP :
|
||
TAG : 0
|
||
DISPLAY_NAME : VideoXpert Exports
|
||
DEPENDENCIES :
|
||
SERVICE_START_NAME : LocalSystem |