iniNet SpiderControl PLC Editor Simatic 6.30.04 Insecure File Permissions Vendor: iniNet Solutions GmbH Product web page: http://www.spidercontrol.net Affected version: 6.30.04 (Build 6300400) Summary: Modular and automated engineering is provided for HMI and SCADA. The tools are developed to join a large range of engineering modules together quickly. We modularize our software, as the mechanics of a system are modularized today. Easy to visualize with a few clicks. Desc: SpiderControl PLC Editor Simatic suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, and 'C' flag (Change) for 'Authenticated Users' group making the entire directory 'PLCEditorSimatic_6300400' and its files and sub-dirs world-writable. Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5283 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5283.php 22.10.2015 -- C:SpiderControlPLCEditorSimatic_6300400>cacls PLCEditorSimatic.exe C:SpiderControlPLCEditorSimatic_6300400PLCEditorSimatic.exe Everyone:(ID)F BUILTINAdministrators:(ID)F NT AUTHORITYSYSTEM:(ID)F BUILTINUsers:(ID)R NT AUTHORITYAuthenticated Users:(ID)C C:SpiderControlPLCEditorSimatic_6300400>dir Volume in drive C is Windows Volume Serial Number is 56F3-8688 Directory of C:SpiderControlPLCEditorSimatic_6300400 22/10/2015 10:10 <DIR> . 22/10/2015 10:10 <DIR> .. 09/05/2012 14:03 379 fontconfig.txt 22/10/2015 10:10 <DIR> HTML5Comp 22/10/2015 10:10 <DIR> HWSpecific 24/06/2015 18:42 386,812 IMasterSimatic6_30_04.jar 22/10/2015 10:10 <DIR> ImportNConvertComp 22/10/2015 10:10 <DIR> MacroDlgComp 22/10/2015 10:10 <DIR> MacroDlgRuntime 22/10/2015 10:10 <DIR> MacroLib 22/10/2015 10:10 <DIR> MacroLibTempFiles 26/04/2005 15:26 320 MsgBox.teq 22/10/2015 10:10 <DIR> News_ReleaseNotes 06/06/2012 11:06 81 PLCEditorExtraBatch.bat 11/01/2013 12:29 727 PLCEditorKey.spl 02/07/2015 22:58 7,997,440 PLCEditorSimatic.exe 26/11/2014 19:04 3,806 PLCPPOCheckCfgSimaticPLC.xml 02/07/2015 18:25 2,958,336 PLC_FontGenerator.exe 22/10/2015 10:10 <DIR> Projects 17/06/2015 10:58 34,275 PropWndDescript.xml 25/04/2014 16:55 104,254 s7api.jar 18/05/2015 12:28 42,478 ScadaDescript.xml 10/01/2011 15:09 208 ScadaPPOList.csv 22/10/2015 10:10 <DIR> SCUtils 09/02/2015 13:27 8,242 SimaticDefaultSpiderHWProfile.shp 01/07/2015 16:36 2,693,569 SimaticPLCHelp.chm 22/10/2015 10:30 <DIR> SimulateRuntime 22/10/2015 10:10 <DIR> SimulationComp 06/09/2012 11:13 65,536 SpiderLink1.dll 06/09/2012 11:13 65,536 SpiderLink2.dll 06/09/2012 11:13 65,536 SpiderLink3.dll 06/09/2012 11:13 65,536 SpiderLink4.dll 02/07/2015 18:26 265,216 SpiderObserver.dll 02/07/2015 18:25 269,824 SpiderOPCBrowser.dll 02/07/2015 23:42 483,328 SPSVarSelectorCsv.dll 02/07/2015 18:26 430,080 SPSVarSelectorTpy.dll 22/10/2015 10:10 <DIR> SVGComp 22/10/2015 10:10 86,988 unins000.dat 22/10/2015 10:10 736,929 unins000.exe 10/01/2011 15:05 28 ZelsCfg.csv 22/10/2015 10:10 <DIR> ZipComp 25 File(s) 16,765,464 bytes 16 Dir(s) 77,686,059,008 bytes free C:SpiderControlPLCEditorSimatic_6300400>cd .. C:SpiderControl>cacls PLCEditorSimatic_6300400 C:SpiderControlPLCEditorSimatic_6300400 Everyone:(OI)(CI)F BUILTINAdministrators:(ID)F BUILTINAdministrators:(OI)(CI)(IO)(ID)F NT AUTHORITYSYSTEM:(ID)F NT AUTHORITYSYSTEM:(OI)(CI)(IO)(ID)F BUILTINUsers:(OI)(CI)(ID)R NT AUTHORITYAuthenticated Users:(ID)C NT AUTHORITYAuthenticated Users:(OI)(CI)(IO)(ID)C