Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions

Exploit Author: shinnai Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2023-08-21 
# Exploit Title: Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions 
Privilege Escalation
# Date: 2023-08-09
# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
# Vendor Homepage: https://www.inosoft.com/
# Version: Up to 2022-2.1 (Runtime RT7.3 RC3 20221209.5)
# Tested on: Windows
# CVE: CVE-2023-31468

Inosoft VisiWin is a completely open system with a configurable range of 
functions. It combines all features of classic HMI software with 
unlimited programming possibilities.
The installation of the solution will create insecure folder, and this 
could allow a malicious user to manipulate file content or change 
legitimate files (e.g., VisiWin7.Server.Manager.exe which runs with 
SYSTEM privileges) to compromise a system or to gain elevated 
privileges.

This is the list of insecure files and folders with their respective 
permissions:

C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH"
C:\Program Files (x86)\INOSOFT GmbH BUILTIN\Administrators:(OI)(CI)(F)
                                     Everyone:(OI)(CI)(F)
                                     NT AUTHORITY\SYSTEM:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\>

--------------------------------------------------------------------------------------------------------------------------------------------------------

C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH\VisiWin7\Runtime\VisiWin7.Server.Manager.exe"
C:\Program Files (x86)\INOSOFT GmbH\VisiWin 7\Runtime\VisiWin7.Server.Manager.exe BUILTIN\Administrators:(I)(F)
                                                                          
          Everyone:(I)(F)
                                                                          
          NT AUTHORITY\SYSTEM:(I)(F)

Successfully processed 1 files; Failed processing 0 files

C:\>


Inosoft VisiWin 7 2022-2.1 – Insecure Folder Permissions: A Critical Privilege Escalation Vulnerability

Inosoft VisiWin 7, a widely used Human-Machine Interface (HMI) platform in industrial automation environments, has recently come under scrutiny due to a critical security flaw identified as CVE-2023-31468. This vulnerability stems from overly permissive folder and file permissions during installation, enabling unauthorized users to manipulate system-critical components—potentially leading to privilege escalation and full system compromise.

Understanding the Vulnerability

The core issue lies in the default configuration of installation directories. Upon installation, the C:\Program Files (x86)\INOSOFT GmbH directory and its subcomponents—including the VisiWin7.Server.Manager.exe binary—are granted write access to Everyone, a broad Windows security group that includes all authenticated users, including non-administrative ones.


C:\> icacls "C:\Program Files (x86)\INOSOFT GmbH"
C:\Program Files (x86)\INOSOFT GmbH BUILTIN\Administrators:(OI)(CI)(F)
Everyone:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)

This output reveals that Everyone has full control over the entire INOSOFT installation directory. The (OI) and (CI) flags indicate that these permissions are inherited by subdirectories and files, meaning any file within the hierarchy—especially those running with elevated privileges—is vulnerable to tampering.

Exploitation Path: From User to SYSTEM

Consider the VisiWin7.Server.Manager.exe process, which runs under the NT AUTHORITY\SYSTEM context. This means it operates with the highest possible privileges on the system. If an attacker can modify this executable—either by replacing it with a malicious version or by injecting code—the system will execute the malicious payload with full administrative rights.

Since Everyone has write access to this file, a local user with minimal privileges (e.g., a standard user account) can:

  • Copy a malicious executable into the VisiWin7.Server.Manager.exe location.
  • Replace the legitimate binary with a backdoor or reverse shell.
  • Trigger the service to restart or reinitialize, leading to execution of the malicious code.

Once executed, the attacker gains full system control—effectively achieving privilege escalation without requiring any initial administrative access.

Real-World Implications

Industrial control systems (ICS), where VisiWin 7 is commonly deployed, are particularly vulnerable to such exploits. A compromised HMI system can:

  • Disable critical safety mechanisms.
  • Modify control logic, leading to physical equipment failure.
  • Exfiltrate sensitive operational data.
  • Act as a foothold for lateral movement in a network.

Even a single compromised workstation in a factory environment could enable attackers to pivot into critical infrastructure systems, potentially disrupting production lines or causing physical damage.

Technical Analysis and Detection

Security professionals can detect this vulnerability using built-in Windows tools like icacls. The following command identifies insecure permissions:


icacls "C:\Program Files (x86)\INOSOFT GmbH\VisiWin7\Runtime\VisiWin7.Server.Manager.exe"

Output:


BUILTIN\Administrators:(I)(F)
Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)

Here, (I)(F) indicates that Everyone has full (F) access to the file, and the permission is inherited (I). This is a red flag for security audits.

Recommended Mitigation Strategies

Organizations using Inosoft VisiWin 7 must act immediately to secure their systems. Below are recommended steps:

Step Description
1. Restrict File Permissions Use icacls to remove write access from Everyone. Only Administrators and SYSTEM should have full control.
2. Apply Least Privilege Principle Ensure that only authorized users (e.g., system administrators) can modify HMI software components.
3. Enable File Integrity Monitoring Deploy tools like Windows Defender Application Control (WDAC) or SIEM solutions to detect unauthorized changes to critical binaries.
4. Update to Secure Version Check for patches or updated versions from Inosoft. The vulnerability is reported in versions up to 2022-2.1 (Runtime RT7.3 RC3 20221209.5). Update to a newer release if available.

Example of corrected permission configuration:


icacls "C:\Program Files (x86)\INOSOFT GmbH\VisiWin7\Runtime\VisiWin7.Server.Manager.exe" /remove Everyone /grant Administrators:F /grant SYSTEM:F

This command removes Everyone from the permission list and grants full access only to Administrators and SYSTEM, significantly reducing the attack surface.

Expert Insight: Why This Flaw Matters

Many industrial software vendors prioritize functionality over security. Inosoft VisiWin 7’s "completely open system" design, while beneficial for customization, introduces serious risks when default security settings are ignored. This vulnerability exemplifies a classic default configuration flaw: software assumes safe environments, but real-world deployments often include untrusted users or compromised systems.

As cybersecurity experts emphasize, security by default is not optional in critical infrastructure. Even a single file with broad permissions can become a gateway to system-wide compromise.

Conclusion

CVE-2023-31468 is a stark reminder that even well-established industrial software can harbor severe security flaws. Organizations must proactively audit their HMI systems, enforce strict file permissions, and apply timely updates. In the world of industrial cybersecurity, a single misconfigured folder can be the difference between operational continuity and catastrophic failure.