← Advisories

Ross Video DashBoard 8.5.1 Insecure Permissions

Low

Advisory ID

ZSL-2019-5516

Release Date

23 April 2019

Vendor

Ross Video Ltd. - https://www.rossvideo.com

Affected Version

8.5.1

CVE

CVE-2019-25245

Tested On

Microsoft Windows 7 Professional SP1 (EN)

Summary

DashBoard is a free and open platform from Ross Video for facility control and monitoring that enables users to quickly build unique, tailored Custom Panels that make complex operations simple.

Description

DashBoard suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.

Proof of Concept

rossdashboard_eop.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/46742

[2]https://packetstormsecurity.com/files/152601

[3]https://cxsecurity.com/issue/WLB-2019040215

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/160043

[5]https://www.cve.org/CVERecord?id=CVE-2019-25245

Changelog

23.04.2019Initial release

24.04.2019Added reference [1], [2] and [3]

01.05.2019Added reference [4]

23.03.2026Added reference [5]