HackDig : Dig high-quality web security articles for hackers

Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation

2017-02-12 15:55
Title: Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation
Advisory ID: ZSL-2017-5397
Type: Local
Impact: Privilege Escalation
Risk: (3/5)
Release Date: 12.02.2017
Summary
BACstac belongs to product BACstac(TM) Networking Software andwas developed by company Cimetrics Inc. Cimetrics is excited to announcea new version of our industry-leading BACnet protocol stack: BACstac 6.8.The Cimetrics BACstac saves man-years of development when your company needsto create a BACnet solution ! Our software team has created a set of BACnetlibraries which greatly simplify the task of interfacing to BACnet.

Even the largest companies in the HVAC industry use our code because it isa very complex and time consuming task keeping up with the ongoing changesthat are taking place in the BACnet committees. For example, many hundredsof protocol modifications, requirements, and enhancements have taken placein just the past year. By purchasing the Cimetrics BACstac solution, we dothe compatibility coding and testing. This typically saves man-years ofsoftware developer time EVERY YEAR !
Description
The application suffers from an unquoted search path issue impactingthe service 'bacstac' (bacstac-gtw.exe) for Windows deployed as part of BACstacrouting service solution. This could potentially allow an authorized but non-privilegedlocal user to execute arbitrary code with elevated privileges on the system.A successful attempt would require the local user to be able to insert theircode in the system root path undetected by the OS or other security applicationswhere it could potentially be executed during application startup or reboot.If successful, the local user’s code would execute with the elevated privilegesof the application.

BACstac also provides a named pipe used for IPC connection between a BACstacapplication and the BACstac service.

The BACstac Service implements AL multiplexing using a custom IPC mechanism. TheIPC mechanism was chosen to allow portability to embedded systems, and it uses afixed number of slots. The slots are recycled when an application stops running.

With Object-based multiplexing, Service requests that identify a particular Object(e.g. Read-Property) can be forwarded to a dedicated process. A multiplexing serverusing an appropriate IPC mechanism (e.g. CORBA, COM, or UDP) can be built on top ofthe BACstac API.

A number of BACstac protocol stack run-time configuration parameters are storedin the Windows Registry. These values are created and initialized when the protocolstack is installed. The registry entries are not completely removed when the protocolstack is uninstalled (this is standard behaviour for .INF files). The Registryentries are located in:

HKEY_LOCAL_MACHINESOFTWARECimetricsBACstac
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBACstac

The BACstac Service parameters (in ..ServicesBACstac) include plenty of keys,one of which is the 'TsmlConnIpc' key with the default name: \.pipebacstac.

The vulnerability exist due to the improper permissions, with the 'F' flag (Full)for 'Everyone' group.
Vendor
Cimetrics, Inc. - https://www.cimetrics.com
Affected Version
6.2f
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[13.12.2016] Vulnerability discovered.
[31.01.2017] Vendor contacted.
[11.02.2017] No reply from the vendor.
[12.02.2017] Public security advisory released.
PoC
bacstac_eop.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
N/A
Changelog
[12.02.2017] - Initial release
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk


Source: php.7935-7102-LSZ/seitilibarenluv/ne/km.ecneicsorez.www

Read:6731 | Comments:0 | Tags:No Tag

“Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud