bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/9680.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

69 lines
No EOL
2.3 KiB
Text
Raw Permalink Blame History

ShineShadow Security Report 15092009-09
TITLE
Local privilege escalation vulnerability in Protector Plus antivirus software
BACKGROUND
Protector Plus range of antivirus products are known the world over for
their efficiency and reliability. Protector Plus Antivirus Software is
available for Windows Vista, Windows XP, Windows Me, Windows 2000,
Windows 98, Windows 2000/2003/NT server and NetWare platforms. Protector
Plus Antivirus Software is the ideal antivirus protection for your
computer against all types of malware like viruses, trojans, worms and
spyware.
-- www.pspl.com
VULNERABLE PRODUCTS
Protector Plus 2009 for Windows Desktops (8.0.E03)
Protector Plus 2009 for Windows Server (8.0.E03)
Protector Plus Professional (9.1.001)
Previous versions may also be affected
DETAILS
Protector Plus installs the own program files with insecure permissions
(Everyone - Full Control). Local attacker (unprivileged user) can
replace some files (for example, executable files of Protector services)
by malicious file and execute arbitary code with SYSTEM privileges. This
is local privilege escalation vulnerability.
For example, the following attack scenario could be used:
1. An attacker (unprivileged user) renames one of the Protector program
files (below, the FILE). For example, the FILE could be - PPAVMON.exe
(Protector Plus Anti-virus Monitor Service).
2. An attacker copies his malicious executable file (with same name as
the old filename of the FILE - PPAVMON.exe) to Protector folder.
3. Restart the system.
After restart attackers malicious file will be executed with SYSTEM
privileges.
EXPLOITATION
This is local privilege escalation vulnerability. An attacker must have
valid logon credentials to a system where vulnerable software is
installed.
WORKAROUND
No workarounds
DISCLOSURE TIMELINE
31/08/2009 Initial vendor notification. Secure contacts requested.
01/09/2009 Vendor response
03/09/2009 Vulnerability details sent. Confirmation requested. – no reply
09/09/2009 Vulnerability details sent. Confirmation requested. – no reply
11/09/2009 Last attempt to get reply from vendor. Vulnerability details sent. Confirmation requested. – no reply
15/09/2009 Advisory released
CREDITS
Maxim A. Kulakov (aka ShineShadow)
ss_contacts[at]hotmail.com
# milw0rm.com [2009-09-15]
Reference in a new issue View git blame Copy permalink