Millewin 13.39.028 Unquoted Service Path / Insecure Permissions

2021.02.08
Risk: High
Local: Yes
Remote: No
CWE: CWE-276


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Millewin - Local Privilege Escalation # Date: 2021-02-07 # Author: Andrea Intilangelo # Vendor Homepage: https://www.millewin.it # Software Homepage: https://www.millewin.it/index.php/prodotti/millewin # Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe # Version: 13.39.028 – 146.1.9 # Tested on: Microsoft Windows 10 Enterprise x64 # CVE: CVE-2021-3394 Millennium Millewin also known as "Cartella clinica" Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a. Affected version: 13.39.028 13.39.28.3342 13.39.146.1 - Summary (from online translator): Millewin represents the Professional Solution par excellence, recognized and supported by over 18,000 doctors. Millewin is able to guarantee ideal management of the patient's medical records, it also adheres perfectly to the most recent requirements of the General Practitioner and, thanks to the latest functional innovations, it assists the doctor in the diagnosis and management of therapy. It can be used, at no additional cost, for group medicine and at the secretarial station. Millewin is integrated with all Regional and Corporate Projects. Millewin modules: ACN, MilleDSS, MilleAIR, Redazione e invio fatture, MilleBook. Vuln desc: The application is prone to insecure permissions in its folders that allow unprivileged user complete control. An attacker can exploit the vulnerability by arbitrarily replacing file(s) invoked by service(s) or startup regkey (waiting logon from privileged user) impacted. File(s) will be executed with SYSTEM privileges. The application is subject to insecure folders permissions issue impacting the services 'MillewinTaskService' and 'PDS Server' for Windows deployed as part of Millewin suite (Cartella clinica) software application, and the registy runkey responsible to start update (MilleUpdater) task. This allow an authorized but non-privileged local or remote user to execute arbitrary code with elevated privileges on the system. An attacker can easily take advantage of the flaw arbitrarily replacing the impacted file(s) that will be executed during application startup or reboot, as well as on a privileged account logon. If successful, the malicious file(s) would execute with elevated privileges. The application also suffers from unquoted service path issues. (1) Impacted executable on startup by regkey. Any low privileged user can elevate their privileges abusing this scenario: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value name: MilleLiveUpdate Value data: "C:\Program Files (x86)\Millewin\MilleUpdater\MilleUpdater.exe" (2) Impacted services. Any low privileged user can elevate their privileges abusing any of these (also unquoted) services: Millewin, operazioni pianificate MillewinTaskService C:\Program Files (x86)\Millewin\GestioneTaskService.exe Auto PDS Server PDS Server C:\Program Files (x86)\Millewin\WatchDogService.exe Auto Details: NOME_SERVIZIO: Millewintaskservice TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\GestioneTaskService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Millewin, operazioni pianificate DIPENDENZE : SERVICE_START_NAME : LocalSystem NOME_SERVIZIO: PDSserver TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\WatchDogService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : PDS Server DIPENDENZE : SERVICE_START_NAME : LocalSystem (3) Folder permissions. Insecure folders permissions issue: C:\Program Files (x86)\Millewin BUILTIN\Users:(OI)(CI)(F) Everyone:(OI)(CI)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:) GENERIC_READ GENERIC_EXECUTE ...[SNIP]... C:\Program Files (x86)\Millewin\MilleUpdater BUILTIN\Users:(OI)(CI)(ID)F Everyone:(OI)(CI)(ID)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:) GENERIC_READ GENERIC_EXECUTE ...[SNIP]...


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top