Every user can read file:
c:\Program Files (x86)\SentryHD\config.ini.
C:\Program Files (x86)\SentryHD>cacls config.ini C:\Program Files (x86)\SentryHD\config.ini NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R
Inside this ini file we can find login and password for web panel.
UPSMan is running on autostart as System.
wmic service where name="UPSMan" get StartName StartName LocalSystem
Execute Command File we can execute
Scheduled system shutdown and because UPSMan is running as
SYSTEM we execute them as Priveleged user.
Proof of Concept:
This exploit open
config.ini file, then try to find Administrator credentials.
Next, try to add
create new user command using
Execute Command File.
schedule system shutdown in order to execute this command.
After successful admin creation it cancel shutdown.
- 20-11-2016: Discovered
- 20-11-2016: Vendor notified
- 04-12-2016: Second notification
- 28-12-2016: Version 02.01.12g released, now passwords are “encoded” using easily reversible algorithm
- 09-01-2017: Send email with information that new version doesn’t fix issue