===================================================== [#] Exploit Title : Allock 3GP PSP MP4 Ipod Video Converter - Insecure File Permissions [#] Date Discovered : 2018-08-09 [#] Affected Product(s): Allock 3GP PSP MP4 Ipod Video v6.2.1217 - Software [#] Exploitation Technique: Local [#] Severity Level: Low [#] Tested OS : Windows 7 ===================================================== [#] Product & Service Introduction: =================================== Allok 3GP PSP MP4 iPod Video Converter contains Video to 3GP Converter, Video to PSP Converter, Video to PS3 Converter, Video to MP4 Converter, Video to iPod Converter, Video to Zune Converter, Video to Xbox Converter. It is a AVI/3GP/MP4 file conversion for your portable media player (MP4 player), iPod, Apple TV, PSP, PS3, Zune, Xbox360, Archos, Cellular Phone, Pocket PC, Palm etc .Integrated world class MPEG4/H264 encoder brings you amazing video quality with super fast conversion speed. (Copy of the Vendor Homepage: http://www.alloksoft.com/ ) [#] Technical Details & Description: ==================================== Insecure File Permissions vulnerability has been discovered in the official Allock 3GP PSP MP4 Ipod Video Converter v6.2.1217 software. The vulnerability exists due to insecure default permissions set on the Allok Video to 'Allock 3GP PSP MP4 Ipod Video Converter.exe' and 'avep.exe' or 'unins000.exe' A local attacker could exploit this vulnerability by replacing 'iPod Converter.exe' and 'avep.exe' or 'unins000.exe' with a malicious executable file. The malicious file could execute or modify with the LocalSystem permissions. Proof of Concept (PoC): ======================= Allock 3GP PSP MP4 Ipod Video Converter for Windows contains a vulnerability that could allow a local attacker to gain elevated privileges. -- PoC Session Logs (Permissions) -- C:\Program Files\Allock 3GP PSP MP4 Ipod Video Converter>icacls *.exe Allock 3GP PSP MP4 Ipod Video Converter.exe Tout le monde:(I)(F) <- permissions AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) avep.exe Tout le monde:(I)(F) <- permissions AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) unins000.exe Tout le monde:(I)(F) <- permissions AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) 3 fichiers correctement traités ; échec du traitement de 0 fichiers Solution - Fix & Patch: ======================= Include multiple integrity checks for the software files on startup and during the static runtime. Change the access permissions for the process of all three executables files ('Allock 3GP PSP MP4 Ipod Video Converter' and 'avep.exe' or 'unins000.exe'). [+] Disclaimer [+] =================== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Contact: msk4@live.fr Social: twitter.com/ZwX2a Advisory: www.vulnerability-lab.com/show.php?user=ZwX packetstormsecurity.com/files/author/12026/ cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/ 0day.today/author/27461