63 lines
No EOL
2.2 KiB
Text
63 lines
No EOL
2.2 KiB
Text
|
||
ACROS Security 0patch (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation
|
||
|
||
|
||
Vendor: ACROS, d.o.o.
|
||
Product web page: https://www.0patch.com
|
||
Affected version: 2016.05.19.539
|
||
|
||
Summary: 0patch (pronounced 'zero patch') is a platform for instantly
|
||
distributing, applying and removing microscopic binary patches to/from
|
||
running processes without having to restart these processes (much less
|
||
reboot the entire computer).
|
||
|
||
Desc: The application suffers from an unquoted search path issue impacting
|
||
the service '0patchservice' for Windows deployed as part of 0patch solution.
|
||
This could potentially allow an authorized but non-privileged local user to
|
||
execute arbitrary code with elevated privileges on the system. A successful
|
||
attempt would require the local user to be able to insert their code in the
|
||
system root path undetected by the OS or other security applications where
|
||
it could potentially be executed during application startup or reboot. If
|
||
successful, the local user’s code would execute with the elevated privileges
|
||
of the application.
|
||
|
||
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
|
||
Microsoft Windows 7 Professional SP1 (EN)
|
||
|
||
|
||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||
@zeroscience
|
||
|
||
|
||
Advisory ID: ZSL-2016-5331
|
||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5331.php
|
||
|
||
Vendor: https://0patch.blogspot.com/2016/06/new-release-0patch-agent-20160614850.html
|
||
|
||
|
||
08.06.2016
|
||
|
||
--
|
||
|
||
|
||
C:\>sc qc 0patchservice
|
||
[SC] QueryServiceConfig SUCCESS
|
||
|
||
SERVICE_NAME: 0patchservice
|
||
TYPE : 10 WIN32_OWN_PROCESS
|
||
START_TYPE : 2 AUTO_START
|
||
ERROR_CONTROL : 1 NORMAL
|
||
BINARY_PATH_NAME : C:\Program Files (x86)\0patch\Agent\0PatchServicex64.exe
|
||
LOAD_ORDER_GROUP :
|
||
TAG : 0
|
||
DISPLAY_NAME : 0patch Service
|
||
DEPENDENCIES :
|
||
SERVICE_START_NAME : LocalSystem
|
||
|
||
C:\>cacls "C:\Program Files (x86)\0patch\Agent\0PatchServicex64.exe"
|
||
C:\Program Files (x86)\0patch\Agent\0patchServicex64.exe NT AUTHORITY\SYSTEM:(ID)F
|
||
BUILTIN\Administrators:(ID)F
|
||
BUILTIN\Users:(ID)R
|
||
|
||
|
||
C:\> |