← Advisories

Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions

Low

Advisory ID

ZSL-2016-5310

Release Date

29 February 2016

Vendor

Crouzet Automatismes SAS - http://www.crouzet-automation.com

Affected Version

em4 soft (1.1.04 and 1.1.03.01), M3 soft (3.1.2.0)

CVE

N/A

Tested On

Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Ultimate SP1 (EN)

Summary

em4 is more than just a nano-PLC. It is a leading edge device supported by best-in-class tools that enables you to create and implement the smartest automation applications. Millenium 3 (M3) is easy to program and to implement, it enables the control and monitoring of machines and automation installations with up to 50 I/O. It is positioned right at the heart of the Crouzet Automation range.

Description

em4 soft and M3 soft suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Everyone' group.

Proof of Concept

crouzet_em4_m3_perms.txtTXT

Disclosure Timeline

25.01.2016Vulnerability discovered.

03.02.2016Vendor contacted.

28.02.2016No response from the vendor.

29.02.2016Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://cxsecurity.com/issue/WLB-2016030012

[2]https://packetstormsecurity.com/files/136021

[3]https://www.exploit-db.com/exploits/39510/

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/111165

Changelog

29.02.2016Initial release

01.03.2016Added reference [1], [2] and [3]

03.03.2016Added reference [4]