WIN-911 Software is aware of an ICS Advisory (ICSA-22-053-03) disclosing two local privilege escalation vulnerabilities (CVE-2022-23104, CVE-2022-23922) affecting WIN-911 2021 R1 & R2. Successful exploitation of these potential vulnerabilities could lead to the escalation of local privileges when executed. An attacker cannot use these vulnerabilities to gain access to your system, as they require local access to exploit.
A. Affected Products
WIN-911 2021 R2 - 5.21.17
B. Vulnerability Details
Issue #1: Incorrect Default Permissions (CWE-276)
The first vulnerability identified by Claroty’s research team is a vulnerability allowing any local unprivileged attacker to escalate their privileges to the user that is using WIN-911, due to insecure permission assignment to critical directories and files to the WIN-911 processes. An attacker could leverage the misconfigured privileges to the directory in order to achieve code execution in the application’s context and permissions.
For example, an attacker could drop a malicious DLL file that they know the application uses inside the application’s directory. This will result in the DLL being loaded whenever the application is used (because of Windows’ DLL search order), resulting in the DLL being loaded into the application’s memory and being executed.
In its default configuration, WIN-911 installs its files inside the C:\Program Files (x86)\WIN-911 Software directory. However, when we look into the directory’s assigned permissions (and all other sub-directories due to Windows’ permissions inheritance), we discover that one sub-directory allows all authenticated users on the computer to write inside this directory.
The permissions to C:\Program Files (x86)\WIN-911 Software\Announcer directory, and all sub-directories and files. We can see that all users have write access to this directory.
When we looked into what is stored inside the directory, we found out that WIN-911 stores an application called Announcer, and that indeed some DLLs are stored inside this directory.
Abusing this permissions misconfiguration, any attacker that has access to a computer on which the WIN-911 program is installed can write files to the C:\Program Files (x86)\WIN-911 Software\Announcer directory and thus elevate their permissions whenever the program will be executed using a similar method to the one described above.
Issue #2: Incorrect Default Permissions (CWE-276)
Similar to the vulnerability described above, we were able to identify another directory that has permissive permissions, allowing any authenticated user to write files to the directory. This directory is located in the following path using WIN-911 default configuration: C:\Program Files (x86)\WIN-911 Software\Operator Workspace. Once again, inside this directory resides many DLL files and executables, which enables a malicious user to achieve local code execution in the permissions of the user executing the binary inside this directory.
The permissions to C:\Program Files (x86)\WIN-911 Software\Operator Workspace directory, and all sub-directories and files. We can see that all users have write access to this directory.
Abusing this vulnerability, an attacker that has access to a computer on which the WIN-911 program is installed can write files to the C:\Program Files (x86)/WIN-911 Software\Operator Workspace directory, and thus achieve code execution whenever the program will be executed.
For example, using these insecure permissions, a low-privilege attacker could write a malicious DLL file to the Operator Workspace directory, which whenever the Operator Workspace application will be used, the malicious DLL file will be loaded into memory and executed. Using this, an attacker could achieve privilege escalation to the permissions of the user running the program.
WIN-911 Software has released a hotfix that removes write access for the Users group on the affected directories subfolders. You can download the hotfix using the link below. Once downloaded, unzip the file and run the batch file with admin privileges.