Details of VAR-201602-0489

ID

VAR-201602-0489

TITLE

(0Day) Advantech WebAccess Local Escalation Of Privilege Vulnerability

Trust: 0.7

sources: ZDI: ZDI-16-155

DESCRIPTION

This vulnerability allows local users to elevate to administrator status on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the configuration of directories created during installation of the product. The implementing code for many COM objects used by newly-created services, which run in an elevated privilege, is installed in a folder with weak security control.

Trust: 0.7

sources: ZDI: ZDI-16-155

AFFECTED PRODUCTS

vendor:

advantech

model:

webaccess

scope:

version:

Trust: 0.7

sources: ZDI: ZDI-16-155

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	ZDI-16-155
value:	MEDIUM
Trust: 0.7

ZDI:	ZDI-16-155
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7

sources: ZDI: ZDI-16-155

EXTERNAL IDS

db:	ZDI_CAN	id:	ZDI-CAN-3333	Trust: 0.7
db:	ZDI	id:	ZDI-16-155	Trust: 0.7

sources: ZDI: ZDI-16-155

CREDITS

Fritz Sands - HPE Zero Day Initiative

Trust: 0.7

sources: ZDI: ZDI-16-155

SOURCES

db:

ZDI

id:

ZDI-16-155

LAST UPDATE DATE

2022-05-17T02:02:27.809000+00:00

SOURCES UPDATE DATE

db:

ZDI

id:

ZDI-16-155

date:

2016-02-05T00:00:00

SOURCES RELEASE DATE

db:

ZDI

id:

ZDI-16-155

date:

2016-02-05T00:00:00