← Advisories

Circutor PowerStudio SCADA 4.0.5 Unquoted Service Path Elevation Of Privilege

Low

Advisory ID

ZSL-2015-5281

Release Date

05 December 2015

Vendor

CIRCUTOR SA - http://www.circutor.com

Affected Version

PowerStudio SCADA 4.0.5 and OPC Server 1.4.1

CVE

N/A

Tested On

Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Ultimate SP1 (EN)

Summary

CIRCUTOR's Electrical Energy Efficiency software (e3) is currently called PowerStudio and encompasses all of the tools needed to manage your power control equipment: from electricity, gas and water meters to reactive energy compensation systems and powerful power analyzers.

Description

The application suffers from an unquoted search path issue impacting the services 'CircutorPowerStudioScadaServer' and 'CircutorPowerStudioServer' for Windows deployed as part of PowerStudio Series. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application.

Proof of Concept

powerstudio_eop.txtTXT

Disclosure Timeline

12.10.2015Vulnerability discovered.

19.10.2015Vendor contacted.

20.10.2015Vendor responds asking more details.

20.10.2015Sent details to the vendor.

21.10.2015Vendor confirms the issue scheduling patch with new release.

21.10.2015Asked vendor when is the new version planned for release.

29.10.2015No reply from the vendor.

30.10.2015Asked vendor for status update.

30.10.2015Vendor informs that the new version will be released in two weeks.

15.11.2015Asked vendor for status update.

04.12.2015No response from the vendor.

05.12.2015Public security advisory released.

10.12.2015Vendor informs that the security issue will be resolved in the next version of PowerStudio 4.0.6.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://cxsecurity.com/issue/WLB-2015120046

[2]https://packetstormsecurity.com/files/134656

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/108570

Changelog

05.12.2015Initial release

06.12.2015Added reference [1]

07.12.2015Added reference [2]

08.12.2015Added reference [3]

10.12.2015Added vendor status