APC UPS Daemon <= 3.14.14 Local Privilege Escalation

Credit: Richard Young
Risk: Medium
Local: Yes
Remote: No

[+] Credits: fragsh3ll aka v [+] Contact: https://twitter.com/fragsh3ll Vendor ========== http://www.apcupsd.org Product =========== APC UPS Daemon <= 3.14.14 Vulnerability Type ===================== Privilege Escalation Vendor Description ===================== Apcupsd can be used for power mangement and controlling most of APC’s UPS models on Unix and Windows machines. Apcupsd works with most of APC’s Smart-UPS models as well as most simple signalling models such a Back-UPS, and BackUPS-Office. During a power failure, apcupsd will inform the users about the power failure and that a shutdown may occur. If power is not restored, a system shutdown will follow when the battery is exhausted, a timeout (seconds) expires, or runtime expires based on internal APC calculations determined by power consumption rates. Apcupsd is licensed under the GPL version 2. CVE Reference =============== CVE-2017-7884 Vulnerability Details ======================== The default installation of APCUPSD allows a local unprivileged user to run arbitrary code with elevated privileges by replacing the service executable apcupsd.exe with a malicious executable, which will run with SYSTEM privileges at startup. C:\apcupsd\bin\apcupsd.exe RW BUILTIN\Administrators RW NT AUTHORITY\SYSTEM RW NT AUTHORITY\Authenticated Users Exploit ========== 1) Install the application with default settings. 2) Replace the service executable located at C:\apcupsd\bin\apcupsd.exe with an executable of your choice. 3) Restart the service or computer, the executable will run. Disclosure Timeline: ===================================== 4/17/17 - Vendor notified 4/17/17 - Vendor acknowledged 5/6/17 - Vendor still working 6/5/17 - No response 6/14/17 - No response 6/15/17 - Public disclosure

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com


Back to Top