Every user can read file: c:\Program Files (x86)\SentryHD\config.ini.
C:\Program Files (x86)\SentryHD>cacls config.ini
C:\Program Files (x86)\SentryHD\config.ini NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)RInside this ini file we can find login and password for web panel.
UPSMan is running on autostart as System.
wmic service where name="UPSMan" get StartName
StartName
LocalSystemUsing Execute Command File we can execute commands on Scheduled system shutdown and because UPSMan is running as SYSTEM we execute them as Priveleged user.
Proof of Concept
This exploit open config.ini file, then try to find Administrator credentials.
Next, try to add create new user command using Execute Command File.
Then it schedule system shutdown in order to execute this command.
After successful admin creation it cancel shutdown.
Timeline
- 20-11-2016: Discovered
- 20-11-2016: Vendor notified
- 04-12-2016: Second notification
- 28-12-2016: Version 02.01.12g released, now passwords are "encoded" using easily reversible algorithm
- 09-01-2017: Send email with information that new version doesn't fix issue
