Nero 7.10.1.0 Privilege Escalation

2016.11.11
Credit: Boumediene KADDOUR a.k.a Sh311c0d3r
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Exploit Title: Nero 7 Unquoted Service Path Elevation Of Privilege # Disclosure Date: 09/11/2016 # Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r # http://www.realistic-security.org # Version: Nero version 7.10.1.0 # Tested on: Windows 7 integral edition FR # CVE : N/A Vulnerability Details: ===================== The nero 7 suffers from an unquoted search path issue impacting the service "NBService" leading to arbitrary code execution, this could potentially allow an authorized unprivileged user to invoke a malicious peice of code with elevated privileges. A successful exploit requires a local user to put its own code in the path of the vulnerable application where it could potentially be executed during the software startup or system reboot. PoC -- [PentestingSkills.BlackBox] a$? sc qc NBService [SC] QueryServiceConfig rA(c)ussite(s) SERVICE_NAME: NBService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NBService DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem notice the path C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe unquoted !! a malicious local user could put in place its own executable as Nero.exe under C:\Program Files (x86)\Nero\ to be then executed once the application starts up or the system reboots. sh311c0d3r


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top