From 2963ce32a03e51a223f6026e77e016a0cccfb9a3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 1 Oct 2016 05:01:16 +0000 Subject: [PATCH] DB: 2016-10-01 1 new exploits Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege --- files.csv | 1 + platforms/windows/local/40442.txt | 46 +++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100755 platforms/windows/local/40442.txt diff --git a/files.csv b/files.csv index 686808d60..ddfb923d1 100755 --- a/files.csv +++ b/files.csv @@ -36562,3 +36562,4 @@ id,file,description,date,author,platform,type,port 40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0 40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0 40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0 +40442,platforms/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege",2016-09-30,Tulpa,windows,local,0 diff --git a/platforms/windows/local/40442.txt b/platforms/windows/local/40442.txt new file mode 100755 index 000000000..24ec43355 --- /dev/null +++ b/platforms/windows/local/40442.txt @@ -0,0 +1,46 @@ +# Exploit Title: Netgear Genie 2.4.32 Unquoted Service Path Elevation of Privilege +# Date: 30/09/2016 +# Exploit Author: Tulpa +# Contact: tulpa@tulpa-security.com +# Author website: www.tulpa-security.com +# Vendor Homepage: www.netgear.com +# Software Link: https://www.netgear.com/home/discover/apps/genie.aspx? + +cid=wmt_netgear_organic +# Version: Software Version 2.4.32 +# Tested on: Windows 7 x86 +# Shout-out to carbonated and ozzie_offsec + +1. Description: + +Netgear Genie installs a service called 'NETGEARGenieDaemon' with an unquoted service + +path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + +2. Proof + +C:\Program Files>sc qc NETGEARGenieDaemon +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: NETGEARGenieDaemon + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 3 DEMAND_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : NETGEARGenieDaemon + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +3. Exploit: + +A successful attempt would require the local user to be able to insert their +code in the system root path undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. +