VirIT Explorer Lite & Pro v.8.1.68 - Local Privilege Escalation (SYSTEM Privilege)/Arbitrary Code Execution

2016.05.13
Credit: Paolo Stagno
Risk: High
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

Request a CVE ID for VirIT Explorer Lite & Pro v.8.1.68 - Local Privilege Escalation (SYSTEM Privilege)/Arbitrary Code Execution Exploit Author: Paolo Stagno - voidsec () voidsec com Vendor Homepage: http://www.tgsoft.it Version: VirIT Explorer Lite & Pro v.8.1.68 CVSS v2: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:U/RC:C) Overview ---- Vir.IT eXplorer [1] is an AntiVirus, AntiSpyware and AntiMalware software made in Italy and developed by TG Soft S.a.s. A major flaws exists in the last version of Vir.IT eXplorer, this vulnerability allow a local attacker, to execute arbitrary code in the context of the application with SYSTEM privilege. Details ---- The flaw resides in the viritsvclite Service due to bad privileges for the main Vir.IT folder, by default, any user (even guest) will be able to replace, modify or alter the file. This would allow an attacker to inject code or replace the executable and have it run in the context of the system. This would allow a complete compromise of the system on which the antivirus was installed; an attacker can replace the executable, reboot the system and it would then compromise the machine. As NT AUTHORITYSYSTEM is the highest privilege level on a Windows machine, this allows a total control and access to the system. Services: viritsvclite Folder: %SYSTEMDRIVE%VEXPLite Executable: %SYSTEMDRIVE%VEXPLiteviritsvc.exe [2] icacls.exe VEXPLite C:VEXPLite Everyone:(OI)(CI)(F) <=================== Vulnerable BUILTINAdministrators:(I)(F) BUILTINAdministrators:(I)(OI)(CI)(IO)(F) NT AUTHORITYSYSTEM:(I)(F) NT AUTHORITYSYSTEM:(I)(OI)(CI)(IO)(F) BUILTINUsers:(I)(OI)(CI)(RX) NT AUTHORITYAuthenticated Users:(I)(M) NT AUTHORITYAuthenticated Users:(I)(OI)(CI)(IO)(M) Exploit ---- https://gist.github.com/VoidSec/9971092829dd1fec146e1595843aae65 https://www.youtube.com/watch?v=5a09efEvjTk (video proof) Remediation ---- Remove the permissions on the VEXPLite folder, all of its files and on the viritsvc.exe Service executables to allow only privileged users to alter the files, apply vendor patch once distributed. Footnotes ---- [1] http://www.tgsoft.it/english/prodotti_eng.asp [2] https://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx ---- *VoidSec *| voidsec () voidsec com <mailto:voidsec () voidsec com> | http://voidsec.com <http://voidsec.com/>

References:

http://www.tgsoft.it/english/prodotti_eng.asp
https://technet.microsoft.com/en-us/library/cc753525%28WS.10%29.aspx
https://www.youtube.com/watch?v=5a09efEvjTk


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top