40 lines
No EOL
1.7 KiB
Text
40 lines
No EOL
1.7 KiB
Text
# Exploit Title: Iperius Remote 1.7.0 Unquoted Service Path Elevation of Privilege
|
|
# Date: 26/09/2016
|
|
# Exploit Author: Tulpa
|
|
# Contact: tulpa@tulpa-security.com
|
|
# Author website: www.tulpa-security.com
|
|
# Vendor Homepage: http://www.iperiusremote.com
|
|
# Software Link: https://www.iperiusremote.com/download.aspx
|
|
# Version: Software Version 1.7.0
|
|
# Tested on: Windows 7 x86
|
|
# Shout-out to carbonated and ozzie_offsec
|
|
|
|
1. Description:
|
|
|
|
Iperius Remote allows the user to install the application as a service with an unquoted service path running with SYSTEM privileges. It is important to note that the application installs itself as a service in the same location where the setup file in ran from. Provided that the end user initiates the installation from a directory with spaces in it's path, this could allow an authorized but non-privileged local
|
|
user to execute arbitrary code with elevated privileges on the system.
|
|
|
|
2. Proof
|
|
|
|
C:\>sc qc IperiusRemotesvc
|
|
[SC] QueryServiceConfig SUCCESS
|
|
|
|
SERVICE_NAME: IperiusRemotesvc
|
|
TYPE : 10 WIN32_OWN_PROCESS
|
|
START_TYPE : 2 AUTO_START
|
|
ERROR_CONTROL : 1 NORMAL
|
|
BINARY_PATH_NAME : C:\Random Folder With Spaces\IperiusRemote.exe
|
|
LOAD_ORDER_GROUP :
|
|
TAG : 0
|
|
DISPLAY_NAME : IperiusRemote Service
|
|
DEPENDENCIES :
|
|
SERVICE_START_NAME : LocalSystem
|
|
|
|
|
|
3. Exploit:
|
|
|
|
A successful attempt would require the local user to be able to insert their
|
|
code in the system path undetected by the OS or other security applications
|
|
where it could potentially be executed during application startup or reboot.
|
|
If successful, the local user's code would execute with the elevated privileges
|
|
of the application. |