# Exploit Title: Millewin - Local Privilege Escalation
# Date: 2021-02-07
# Author: Andrea Intilangelo
# Vendor Homepage: https://www.millewin.it
# Software Homepage: https://www.millewin.it/index.php/prodotti/millewin
# Software Link: https://download.millewin.it/files/Millewin/setup/InstMille_Demo_13.39_2019PS.exe
# Version: 13.39.028 – 146.1.9
# Tested on: Microsoft Windows 10 Enterprise x64
# CVE: CVE-2021-3394
Millennium Millewin also known as "Cartella clinica"
Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.
Affected version: 13.39.028
13.39.28.3342
13.39.146.1
-
Summary (from online translator):
Millewin represents the Professional Solution par excellence, recognized and supported by over 18,000 doctors. Millewin is able to guarantee ideal management
of the patient's medical records, it also adheres perfectly to the most recent requirements of the General Practitioner and, thanks to the latest functional
innovations, it assists the doctor in the diagnosis and management of therapy. It can be used, at no additional cost, for group medicine and at the secretarial
station. Millewin is integrated with all Regional and Corporate Projects. Millewin modules: ACN, MilleDSS, MilleAIR, Redazione e invio fatture, MilleBook.
Vuln desc:
The application is prone to insecure permissions in its folders that allow unprivileged user complete control. An attacker can exploit the vulnerability by
arbitrarily replacing file(s) invoked by service(s) or startup regkey (waiting logon from privileged user) impacted. File(s) will be executed with SYSTEM privileges.
The application is subject to insecure folders permissions issue impacting the services 'MillewinTaskService' and 'PDS Server' for Windows deployed as part of
Millewin suite (Cartella clinica) software application, and the registy runkey responsible to start update (MilleUpdater) task.
This allow an authorized but non-privileged local or remote user to execute arbitrary code with elevated privileges on the system. An attacker can easily take
advantage of the flaw arbitrarily replacing the impacted file(s) that will be executed during application startup or reboot, as well as on a privileged account
logon. If successful, the malicious file(s) would execute with elevated privileges.
The application also suffers from unquoted service path issues.
(1) Impacted executable on startup by regkey.
Any low privileged user can elevate their privileges abusing this scenario:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: MilleLiveUpdate
Value data: "C:\Program Files (x86)\Millewin\MilleUpdater\MilleUpdater.exe"
(2) Impacted services.
Any low privileged user can elevate their privileges abusing any of these (also unquoted) services:
Millewin, operazioni pianificate MillewinTaskService C:\Program Files (x86)\Millewin\GestioneTaskService.exe Auto
PDS Server PDS Server C:\Program Files (x86)\Millewin\WatchDogService.exe Auto
Details:
NOME_SERVIZIO: Millewintaskservice
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\GestioneTaskService.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : Millewin, operazioni pianificate
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
NOME_SERVIZIO: PDSserver
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\Millewin\WatchDogService.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : PDS Server
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
(3) Folder permissions.
Insecure folders permissions issue:
C:\Program Files (x86)\Millewin
BUILTIN\Users:(OI)(CI)(F)
Everyone:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
GENERIC_READ
GENERIC_EXECUTE
...[SNIP]...
C:\Program Files (x86)\Millewin\MilleUpdater
BUILTIN\Users:(OI)(CI)(ID)F
Everyone:(OI)(CI)(ID)F
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
GENERIC_READ
GENERIC_EXECUTE
...[SNIP]...