[CVE-2020-22722] – Rapid SCADA Local Privilege Escalation Vulnerability

Product Owner: Rapid Software LLC

Type:  Installable/Customer-Controlled Application

Application Name: Rapid SCADA 5.8.0

Rapid SCADA is an open source industrial automation platform. The out of the box software provides tools for rapid creation of monitoring and control systems. In case of large implementation, Rapid SCADA is used as a core for development of custom SCADA and MES solutions for a Customer.

Open source is the key to software transparency and security. The licensing model permits creation of new derivative software products.

Rapid SCADA is a perfect choice for creating large distributed industrial automation systems. Rapid SCADA runs on servers, embedded computers and in the cloud. Rapid SCADA nodes exchange information between themselves, and interact with external databases in real time.

The main classes of systems developed using Rapid SCADA are the following:

  •  Industrial automation systems and IIoT systems.
  •  Process control systems.
  •  Energy accounting systems.

Product Url: https://rapidscada.org/

Download Url: https://rapidscada.org/download-all-files/download-rapid-scada/

Application Release Date: 2020-01-28

Severity: High

Authentication: Required

Complexity: Hard

Vulnerability Name: Rapid SCADA Local Privilege Escalation Vulnerability via ScadaAgentSvc.exe, ScadaCommSvc.exe

Vulnerability Explanation: Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Tested Os: Windows 10 Pro

Vulnerability Details:

Due to this COVID-19 outbreak, I was testing a lot of open source applications to learn new types of attacks and help our infosec community people to gain more awareness. So by googling I landed to this Rapid SCADA software which is free and it is used by a lot of people.

So installed the application and started with the basic enumeration process to check whether it has any service-related vulnerabilities.

I took a look at the application service just for curiosity and found that that there is no unquoted service path vulnerability.

ScadaAgentConfig.xml – Default directory location

Rapid Scada 5.8.0 Default installation directory

I had a look at the folder permissions of the “C:\ SCADA” folder and Wow! It had been set to “BUILDIN\Users:(OI)(CI)” which means any user can read, write, execute, create, delete do anything inside that folder and it’s subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.

Since “ScadaAgentSvc.exe” executable is a Windows service, by planting a malicious program with the same name “ScadaAgentSvc.exe” would result in executing the binary as “NT AUTHORITY\SYSTEM” giving highest privileges in a Windows operating system.

This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as “NT AUTHORITY\SYSTEM” by giving the attacker full system access to the remote PC.

Creating a malicious payload using msfvenom

Transfer to the victim system

Rename the service Exe with payload Exe

Restart the victim and you will gain shell access:

Note: We gain shell access before syh4ck user logging into to the system.

Syh4ck Normal User Lock screen – after restart

Gaining Admin Shell with from User machine

The following video POC demo – how this issue can be used to escalate privileges and gain a remote shell running as “NT AUTHORITY\SYSTEM”.

RapidScada 5.8 Local Priv POC

Vendor Status:

[21.04.2020] Vulnerability discovered.
[21.04.2020] Vendor contacted.

[24.04.2020] Vendor Acknowledged

[25.04.2020] Applied for CVE

[14-08-2020]- CVE Assigned – CVE-2020-22722

References

https://github.com/RapidScada/scada

Contact

Email– mr.anandmurugan@gmail.com

Twitter – https://twitter.com/syh4ck

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s