Rockwell Automation Studio 5000 Logix Designer Unquoted Service Path Vulnerability in FactoryTalk Activation Service

A vulnerability exists in the FactoryTalk Activation Service of Rockwell Automation's Studio 5000 Logix Designer version 30.01.00. The issue arises from an unquoted service path in the application's installation directory, which can be exploited by local users to execute code with elevated privileges. By injecting malicious code into the unquoted path, attackers could potentially have it executed with LocalSystem permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution with elevated privileges, allowing a local user to execute malicious payloads with the highest system rights.

Reproduction

The vulnerability can be reproduced by first confirming the presence of the unquoted service path using the Windows Management Instrumentation Command-line (WMIC) tool. After identifying the 'FactoryTalk Activation Service' with an unquoted path to 'lmgrd.exe', a local user could then place malicious code in a location that would be executed when the service starts, such as the system root path, undetected by the operating system or security applications.