Product Owner: Rapid Software LLC
Type: Installable/Customer-Controlled Application
Application Name: Rapid SCADA 5.8.0
Rapid SCADA is an open source industrial automation platform. The out of the box software provides tools for rapid creation of monitoring and control systems. In case of large implementation, Rapid SCADA is used as a core for development of custom SCADA and MES solutions for a Customer.
Open source is the key to software transparency and security. The licensing model permits creation of new derivative software products.
Rapid SCADA is a perfect choice for creating large distributed industrial automation systems. Rapid SCADA runs on servers, embedded computers and in the cloud. Rapid SCADA nodes exchange information between themselves, and interact with external databases in real time.
The main classes of systems developed using Rapid SCADA are the following:
- Industrial automation systems and IIoT systems.
- Process control systems.
- Energy accounting systems.
Product Url: https://rapidscada.org/
Application Release Date: 2020-01-28
Vulnerability Name: Rapid SCADA Local Privilege Escalation Vulnerability via ScadaAgentSvc.exe, ScadaCommSvc.exe
Vulnerability Explanation: Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
Tested Os: Windows 10 Pro
Due to this COVID-19 outbreak, I was testing a lot of open source applications to learn new types of attacks and help our infosec community people to gain more awareness. So by googling I landed to this Rapid SCADA software which is free and it is used by a lot of people.
So installed the application and started with the basic enumeration process to check whether it has any service-related vulnerabilities.
I took a look at the application service just for curiosity and found that that there is no unquoted service path vulnerability.
Rapid Scada 5.8.0 Default installation directory
I had a look at the folder permissions of the “C:\ SCADA” folder and Wow! It had been set to “BUILDIN\Users:(OI)(CI)” which means any user can read, write, execute, create, delete do anything inside that folder and it’s subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.
Since “ScadaAgentSvc.exe” executable is a Windows service, by planting a malicious program with the same name “ScadaAgentSvc.exe” would result in executing the binary as “NT AUTHORITY\SYSTEM” giving highest privileges in a Windows operating system.
This vulnerability can be used to escalate privileges in a Windows operating system locally. For example, an attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as “NT AUTHORITY\SYSTEM” by giving the attacker full system access to the remote PC.
Creating a malicious payload using msfvenom
Transfer to the victim system
Rename the service Exe with payload Exe
Restart the victim and you will gain shell access:
Note: We gain shell access before syh4ck user logging into to the system.
Gaining Admin Shell with from User machine
The following video POC demo – how this issue can be used to escalate privileges and gain a remote shell running as “NT AUTHORITY\SYSTEM”.
[21.04.2020] Vulnerability discovered.
[21.04.2020] Vendor contacted.
[24.04.2020] Vendor Acknowledged
[25.04.2020] Applied for CVE
[14-08-2020]- CVE Assigned – CVE-2020-22722
Twitter – https://twitter.com/syh4ck