Ross Video DashBoard 8.5.1 Insecure Permissions
Title: Ross Video DashBoard 8.5.1 Insecure Permissions
Advisory ID: ZSL-2019-5516
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 23.04.2019
[2] https://packetstormsecurity.com/files/152601
[3] https://cxsecurity.com/issue/WLB-2019040215
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/160043
[24.04.2019] - Added reference [1], [2] and [3]
[01.05.2019] - Added reference [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2019-5516
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 23.04.2019
Summary
DashBoard is a free and open platform from Ross Video for facility control and monitoring that enables users to quickly build unique, tailored Custom Panels that make complex operations simple.Description
DashBoard suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.Vendor
Ross Video Ltd. - https://www.rossvideo.comAffected Version
8.5.1Tested On
Microsoft Windows 7 Professional SP1 (EN)Vendor Status
N/APoC
rossdashboard_eop.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/46742[2] https://packetstormsecurity.com/files/152601
[3] https://cxsecurity.com/issue/WLB-2019040215
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/160043
Changelog
[23.04.2019] - Initial release[24.04.2019] - Added reference [1], [2] and [3]
[01.05.2019] - Added reference [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
