Studio 5000 Logix Designer 30.01.00未引用的服务路径-

七彩网络

昔年博客
首页>> Exploit >>Studio 5000 Logix Designer 30.01.00未引用的服务路径

低危

# Exploit Title: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-18
# Vendor Homepage: https://www.rockwellautomation.com/en_NA/overview.page
# Software Link : https://www.rockwellautomation.com/en_NA/products/factorytalk/overview.page?pagetitle=Studio-5000-Logix-Designer&docid=924d2f2060bf9d409286937296a18142
# Rockwell Automation Technologies
# Tested Version: 30.01.00
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path: 

C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Rockwell" |findstr /i /v """

FactoryTalk Activation Service		FactoryTalk Activation Service 		C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe	Auto

# Service info:

C:\>sc qc "FactoryTalk Activation Service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FactoryTalk Activation Service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : FactoryTalk Activation Service
        DEPENDENCIES       : winmgmt
                           : wmiapsrv
                           : +NetworkProvider
        SERVICE_START_NAME : LocalSystem

成功的尝试需要本地用户能够在系统根路径中插入他们的代码而不被OS或其他安全应用程序检测到,在应用程序启动或重新启动期间,这些代码可能会被执行。如果成功,本地用户的代码将使用提升的应用程序特权执行。


×

感谢您的支持,我们会一直保持!

扫码支持
请土豪扫码随意打赏

打开支付宝扫一扫,即可进行扫码打赏哦

分享从这里开始,精彩与您同在

打赏作者
版权所有,转载注意明处:昔年博客 » Studio 5000 Logix Designer 30.01.00未引用的服务路径
标签: exp poc
分享本文至:
点击评论 您阅读这篇文章共花了: 

发表评论

路人甲 表情
Ctrl+Enter快速提交

网友评论(0)