Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions

Title: Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions
Advisory ID: ZSL-2016-5310
Type: Local/Remote
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 29.02.2016
Summary
em4 is more than just a nano-PLC. It is a leading edge device supported by best-in-class tools that enables you to create and implement the smartest automation applications. Millenium 3 (M3) is easy to program and to implement, it enables the control and monitoring of machines and automation installations with up to 50 I/O. It is positioned right at the heart of the Crouzet Automation range.
Description
em4 soft and M3 soft suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Everyone' group.
Vendor
Crouzet Automatismes SAS - http://www.crouzet-automation.com
Affected Version
em4 soft (1.1.04 and 1.1.03.01)
M3 soft (3.1.2.0)
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[25.01.2016] Vulnerability discovered.
[03.02.2016] Vendor contacted.
[28.02.2016] No response from the vendor.
[29.02.2016] Public security advisory released.
PoC
crouzet_em4_m3_perms.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://cxsecurity.com/issue/WLB-2016030012
[2] https://packetstormsecurity.com/files/136021
[3] https://www.exploit-db.com/exploits/39510/
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/111165
Changelog
[29.02.2016] - Initial release
[01.03.2016] - Added reference [1], [2] and [3]
[03.03.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk