Zero Science Lab » NREL BEopt 2.8.0 Insecure Library Loading Arbitrary Code Execution

NREL BEopt 2.8.0 Insecure Library Loading Arbitrary Code Execution

Title: NREL BEopt 2.8.0 Insecure Library Loading Arbitrary Code Execution
Advisory ID: ZSL-2019-5513
Type: Remote/Local
Impact: System Access
Risk: (4/5)
Release Date: 09.03.2019

Summary

The BEopt™ (Building Energy Optimization Tool) software provides capabilities to evaluate residential building designs and identify cost-optimal efficiency packages at various levels of whole-house energy savings along the path to zero net energy.

Description

BEopt suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (sdl2.dll and libegl.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application file .BEopt located on a remote WebDAV or SMB share.

Vendor

NREL - https://beopt.nrel.gov

Affected Version

2.8.0.0
2.7.0.0
2.6.0.1

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)

Vendor Status

[06.02.2019] Vulnerability discovered.
[08.02.2019] Vendor contacted.
[08.02.2019] Vendor responds asking more details.
[09.02.2019] Sent details to the vendor.
[18.02.2019] No response from the vendor.
[19.02.2019] Asked vendor for status update.
[08.03.2019] No response from the vendor.
[09.03.2019] Public security advisory released.

PoC

beopt_dllhijack.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/152043
[2] https://cxsecurity.com/issue/WLB-2019030108
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/158065

Changelog

[09.03.2019] - Initial release
[12.03.2019] - Added reference [1]
[13.03.2019] - Added reference [2]
[17.03.2019] - Added reference [3]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk