[#] Exploit Title : Allock Video to Ipod converter - Insecure File Permissions
[#] Date Discovered : 2018-08-09
[#] Affected Product(s): Allock Video to Ipod converter v6.2.1217 - Software
[#] Exploitation Technique: Local
[#] Severity Level: Low
[#] Tested OS : Windows 7
[#] Product & Service Introduction:
Allok 3GP PSP MP4 iPod Video Converter contains Video to 3GP Converter, Video to PSP Converter, Video to PS3 Converter, Video to MP4 Converter, Video to iPod Converter,
Video to Zune Converter, Video to Xbox Converter. It is a AVI/3GP/MP4 file conversion for your portable media player (MP4 player), iPod, Apple TV, PSP, PS3, Zune,
Xbox360, Archos, Cellular Phone, Pocket PC, Palm etc .Integrated world class MPEG4/H264 encoder brings you amazing video quality with super fast conversion speed.
(Copy of the Vendor Homepage: http://www.alloksoft.com/ )
[#] Technical Details & Description:
Insecure File Permissions vulnerability has been discovered in the official WampServer v3.0.6 software.
The vulnerability exists due to insecure default permissions set on the Allok Video to 'iPod Converter.exe' and 'avep.exe' or 'unins000.exe'
A local attacker could exploit this vulnerability by replacing 'iPod Converter.exe' and 'avep.exe' or 'unins000.exe' with a malicious executable file.
The malicious file could execute or modify with the LocalSystem permissions.
Proof of Concept (PoC):
Allock Video to Ipod converter for Windows contains a vulnerability that could allow a local attacker to gain elevated privileges.
-- PoC Session Logs (Permissions) --
C:\Program Files\Allok Video to iPod Converter>icacls *.exe
Allok Video to iPod Converter.exe Tout le monde:(I)(F) <- permissions
avep.exe Tout le monde:(I)(F) <- permissions
unins000.exe Tout le monde:(I)(F) <- permissions
3 fichiers correctement traités ; échec du traitement de 0 fichiers
Solution - Fix & Patch:
Include multiple integrity checks for the software files on startup and during the static runtime.
Change the access permissions for the process of all three executables files ('iPod Converter.exe' and 'avep.exe' or 'unins000.exe').
[+] Disclaimer [+]
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.