APC UPS Daemon <= 3.14.14 Local Privilege Escalation
[+] Credits: fragsh3ll aka v
[+] Contact: https://twitter.com/fragsh3ll
APC UPS Daemon <= 3.14.14
Apcupsd can be used for power mangement and controlling most of APC’s UPS
models on Unix and Windows machines. Apcupsd works with most of APC’s
Smart-UPS models as well as most simple signalling models such a Back-UPS,
and BackUPS-Office. During a power failure, apcupsd will inform the users
about the power failure and that a shutdown may occur. If power is not
restored, a system shutdown will follow when the battery is exhausted, a
timeout (seconds) expires, or runtime expires based on internal APC
calculations determined by power consumption rates. Apcupsd is licensed
under the GPL version 2.
The default installation of APCUPSD allows a local unprivileged user to run
arbitrary code with elevated privileges by replacing the service executable
apcupsd.exe with a malicious executable, which will run with SYSTEM
privileges at startup.
RW NT AUTHORITY\SYSTEM
RW NT AUTHORITY\Authenticated Users
1) Install the application with default settings.
2) Replace the service executable located at C:\apcupsd\bin\apcupsd.exe
with an executable of your choice.
3) Restart the service or computer, the executable will run.
4/17/17 - Vendor notified
4/17/17 - Vendor acknowledged
5/6/17 - Vendor still working
6/5/17 - No response
6/14/17 - No response
6/15/17 - Public disclosure
See this note in RAW Version
Copyright 2017, cxsecurity.com