Intelligent Security System SecurOS Enterprise 10.2 Unquoted Service Path

2019.10.29
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path # Discovery Date: 2019-10-28 # Exploit Author: Alberto Vargas # Vendor Homepage: https://www.issivs.com/product-detail/secure-os-enterprise/ # Software Link: https://www.issivs.com/schedule-a-free-demo/(trial version for unlicensed users) # Version: 10.2 R1 # Tested on: Windows 10 Pro x64 Esp # Version: 10.0.18362 # Schedule A Free Demo - ISS - Intelligent Security Systems<https://www.issivs.com/schedule-a-free-demo/> # Schedule a Free Demo A leading developer of security surveillance and control systems for # networked digital video and audio recording, video image pattern processing and digital data transmission. # www.issivs.com # Summary: ISS’ global standard for video management, access control and video analytics, SecurOS™ Enterprise is perfectly suited for # managing large and demanding installations. The Enterprise framework can manage and monitor an unlimited number of cameras and devices, apply # intelligent video analytics, and act as an integration platform for a variety of 3rd party systems. Built to handle enterprise level deployments, # SecurOS Enterprise, comes with built-in Native Failure functionality, Microsoft Active Directory / LDAP integration, and has an extensive set # of Cybersecurity features making it one of the most reliable and secure video management platforms in the market today. SecurOS Enterprise # supports all the features of the other 3 editions. # Description: The application suffers from an unquoted search path issue impacting the service 'SecurosCtrlService'. This could potentially allow an # authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require # the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could # potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges # of the application. # Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ SecurOS Control ServiceSecurosCtrlServiceC:\Program Files (x86)\ISS\SecurOS\securos_svc.exeAuto # Service info: C:\Users\user>sc qc SecurosCtrlService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SecurosCtrlService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ISS\SecurOS\securos_svc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : SecurOS Control Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top